It has real drawbacks, but I wasn't talking about what would be a good idea; I was talking about what would be a useful measure for preventing or recovering from account compromises. Iris scanning would be; KYC isn't.

That is know your eye, not know your customer.

Yeah I know eventually these will be linked by some data broker and will meld into the same thing.

But I compare it to using a fingerprint to unlock a password manager on your phone. That ain't KYC.

We're not allowed to say this but hashed biometrics with proof of liveness is probably the strongest authentication.