How many times, a biometric is NOT AUTHENTICATION.
It's the "username", not the "password" and does absolutely nothing to verify that someone is who they claim/appear to be.
And, as demonstrated, anyone can get that username from the user - because it's readily-available and not seen to be "the password". Something accesses your front-facing camera that you also use to log into a device? Oh, look, that have all the data they need to now know what you look like. It doesn't matter what fancy obstacles you try to put in the way (e.g. IR camera, etc.), it's there for them to take, replicate and use forever.
And when that's your username? Who cares. When it's your password? That's just dumb, insecure and wrong.
Stop with the biometrics. Just stop. They are absolutely useless past the point where the computer says "Hello, Dave, would you like to log in?"