I’m the product manager for Duo Mobile. I appreciate this feedback.
In general, we believe that mobile biometrics provides a layer of convenience that allows a user to use a more complex passcode strengthening the overall security profile of a device. While we totally agree that not all mobile biometrics are created equal, when paired with device policies (Policy & Control | Duo Security), you can decide your organization’s tolerance level and security profile and enforce those properties at the time of authentication to corporate assets protected behind Duo. There have certainly been some terrible biometric implementations, largely by Android OEMs, but most of today’s modern devices have decent biometric capabilities suitable for the average person’s risk profile, and these solutions are only getting better with time via software and hardware upgrades. As with many security measures, the goal isn’t foolproof security, but instead to increase the complexity, cost, and time required to break into an asset.
By default, we do not require users to enable biometrics, but we do encourage them to enable various security features like screen lock, disk encryption, and an updated operating system. Overall no one set of recommendations will ever cover every person’s risk profile.
We do agree with your point about biometrics vs complex pin codes. Though we have found consistently that users are bad at creating pin codes, and unfortunately, most mobile OSs do not make choosing more complex passcodes super simple, allowing 4 digit passcodes by default. And devices with biometric capabilities usually strongly push users to set up these capabilities. We have also found that with 2FA devices many people use convenience as an objection to security, which goes to the heart of our approach of making security solutions easy to use so that people actually use them. You can read more about our research in our State of the Auth Report we published late last year.
I will also mention that Security checkup can be turned off for an organization. While we don’t recommend this, you can turn it off by visiting the Duo Mobile section of the Settings page in the Duo Admin console.
I also wanted to share some interesting references: