Apple claims in this year’s WWDC that Face ID and Touch ID count for both Possession and Inherence identity factors, because they are using Biometrics (Inherence) to access the secure element on your phone (Possession) to retrieve a unique key. See here: https://developer.apple.com/videos/play/wwdc2020/10670/
I think both claims are a stretch. For Inherence, yes, you have proved to iOS that the person who set up Face ID is again using the phone, and therefore given access to the secure key. So iOS can claim Inherence. But your app has no proof that the human possessing the phone is actually your user. Hence my app considers mobile local authentication merely a convenient Knowledge factor–a shortcut for your username and password that resolves common credential problems like human forgetfulness.
As for Possession, again, I think the claim is a stretch unless before writing the unique key to the phone’s secure element you somehow prove that the possessor of the phone is your actual intended user. I suppose if you enable Face ID login immediately after account creation you can have this proof–the brand-new user gets to declare this is their phone like they get to choose their username and password. But on any login beyond the first you would have to acquire proof of Possession using an existing factor before you could grant a new Possession factor. Else a fraudster who steals credentials can claim their phone is a Possession factor by enabling Face ID; a situation made extra problematic by Apple’s claim that Face ID also counts as Inherence!
Am I wrong in this assessment? Which of Knowledge, Possession, and Inherence should an app developer grant mobile local biometric authentication?