Why are we required to use antiquated passwords, when ApplePay uses TouchID or FaceID for primary login, or iPhone’s easy to remember six digit passcode for backup login?*

Because hardware matters?

Password may be antiquated but, since it uses a deterministic model, it’s foolproof. Either it’s right or it’s wrong. And that does not depend on whether you enter it into a $25 or $1000 device, that device is clean or dirty, it’s raining or snowing, you’re wearing gloves or mask, etc.

On the other hand, TouchID, FaceID and other forms of biometrics-based authentication use stochastic models and are hence not foolproof. Four out of 10 times, the fingerprint scanner on my laptop recognizes my fingerprint on the first attempt, 4X on the second or third attempt, and 2X not at all.

As I highlighted in Hardware Matters:

This is where the extent to which one can rely upon biometric authentication depends on the specs and quality of hardware one uses to capture the fingerprint (or any other biometric attribute).

A high quality fingerprint reader captures more raw data in less time and thereby improves the speed and reliability of authentication. Whereas, a low quality fingerprint scanner extracts lower amount of raw data, which makes it difficult for the authentication software to meet the matching threshold.

As a result, low quality fingerprint scanners lead to many false positives (where the wrong person is allowed entry into a fingerprint-based access control area because their fingerprint is approved wrongly) and false negatives (where the right person is denied entry into the same area because their fingerprint is rejected wrongly). Both of these issues drastically undermine the quality of the outcome driven by authentication.

While the common man may expect everybody to use “high quality” for everything, it’s not practical for large scale use cases – Aadhaar, laptop, smartphone – to invest in high-end fingerprint scanners. With the kind of entry-level fingerprint scanners used in many of these applications, it takes several attempts for the required raw data to be captured at the required quality. Consequently, the user is often not authenticated on the first attempt.

I’ve been in application security field for 15 years. There was never a time during this period when pundits didn’t dunk on passwords and predict that they will get replaced by biometric authentication the next year. Still we are where we are.

*: This is the original question I answered. I’m repeating it to help me make sense of my answer in case it’s moved to / merged with some other question that I didn’t answer.