I think a lot of people are questioning whether “something I am” is even a good target to aim for at all. As other folks in these comments have mentioned: if your fingerprints/retinas/DNA are compromised, you can’t change them the way you can with a password.
That's why you combine them. Nobody is saying auth should purely be based on biometric. It's all three: Something I know, AND something I have, AND something I am. If your DNA is compromised, you still have the thing you know and the thing you have to keep you secure.
I mean, if someone is forcing me to login at gunpoint, I'll gladly oblige - no need for them to gouge my eye out.
This is not the threat model being used here. This feature is meant to protect you when you forget your yubikey on your laptop while on lunch break, allowing any co-worker from logging in/using the GPG keys stored within.
If someone is willing to do that to you to get to the things behind the password, it wouldn't matter whether you enrolled a biometric factor. At that point it's not a tech problem anymore.
Also, just a nit, iPhones aren't purely biometric. You have to input your pin after reboot or a long period of inactivity. I'll agree it's still a bit too close to being a password for comfort though.
PINs and passwords are not the same though, PINs are for devices and usually not intended to be sent anywhere else, unlike passwords. PINs are also protected from bruteforce, that's why they are usually just 4 numbers.
Fundamentally, I think PINs in the traditional sense are just passwords with a tradition of particular password requirements.
You can also mention passphrases and say how they're different from passwords, but you can put passwords in fields labeled passphrases and passphrases in fields labeled passwords. They're all functionally the same.
EDIT: From the Password Wikipedia article[1]
> In general, a password is an arbitrary string of characters including letters, digits, or other symbols. If the permissible characters are constrained to be numeric, the corresponding secret is sometimes called a personal identification number (PIN).
> In common usage, PINs are used in [...] internet transactions or to log into a restricted website.
EDIT: Also, the IRS uses PINs online[1]:
> Your IP PIN will be displayed to you online once we verify your identity. A new IP PIN is generated for each filing season and can be retrieved starting in mid-January of each year by logging into the account you create.
They even allow you to enter it on paper[2]:
> Paper Return: [...] Enter your IP PIN(s) as applicable in the boxes marked "Identity Protection PIN" in signature area of the return.
EDIT 2: There are also many employee time-clocks that use PINs to authenticate the employees, like this one[3]. You can connect to them through the network to export some nifty reports that includes everyone's PIN, like this one[4].
I'm sure use of PINs is also common with ERPs and POS systems (to authenticate a cashier supervisor authorizing some action), and those are also networked.
EDIT 3: On the Microsoft link you provided, they're talking specifically about the PINs in Windows 10. I wouldn't take that page as talking about all PINs in general.
