Because biometric authentication is a joke in the security industry?
Biometrics are fine to identify someone. Biometrics, being public data, is not acceptable for authentication nor authorisation.
To use another example:
You get to border control, and present your passport. The agent ensuring that the description in the passport matches the person standing in front of him/her, that is identification. The agent verifying that your passport is genuine and valid, that is authentication. The agent giving you access to a country based on the laws and arrangements between those two countries, that is authorisation.
Anything that can be copied/stolen with a good enough picture or forgotten glass/mug is not good enough for authentication/authorisation.
Why? This is the hardware factor in a two-factor authentication scheme. Someone purloining your YubiKey would still need a PIN or password to proceed in most 2FA schemes. The only thing biometrics would add is preventing someone from physically taking your YubiKey and abusing it along with the knowledge factor gleaned from you. That is a valid concern in some specialized cases, but certainly not the common use case 2FA aims to address.
And even if it was; if someone is willing to physically intervene in your security by stealing your YubiKey, chances are they are willing to 'coerce' you to cooperate with unlocking a biometric lock as well…
You should turn off your fingerprint readers. Courts the world over are starting to agree with law enforcement that they have the right to take your fingerprints, and they have the right to do whatever they want with those fingerprints short of disclosing them to the public.
Sooooo... fingerprint auth is a useless security measure even for normal citizens.
I've probably posted this a dozen times, but Dustin Kirkland (the Linux encryptfs maintainer) so eloquently put it that fingerprints (and all biometrics) make wonderful usernames, and horrible passwords:
They're used as second factor authentication, not on their own and are generally linked to a TOTP/HOTP mechanism. They (depending on which technology you use) create unique, pseudo-random codes to enter (linked to some salt+time value) along with a passphrase or another auth factor (could be a smartcard of course)
