Read the specs
Please read the UAF specs before commenting.
https://fidoalliance.org/specifications
* Your fingerprint does not authenticate you to the remote service. Nor is it sent to the remote service.
* You authenticate using a cryptographic private key. The fingerprint just unlocks the private key on the local machine (like a screen unlock on an iPhone)
* There is a different private key generated for each remote service, at the time you register for that service
If your device is stolen, it may be possible somehow to unlock the key without the fingerprint (depending on how the device is designed); but in practice few attackers will have physical access to the device.
The primary weakness of this scheme appears to be in the registration. The protocol allows you to register multiple devices on the same account, but in order to register you have to identify yourself by some other means - i.e. your existing weak username and password.
Google intentionally designed the protocols so that colluding sites cannot identify that the same user is logging into them, and there's no "device ID" which could be universal cookie. However this means you can't login on device A and authorise device B.
Biting the hand that feeds IT
