Sorry, I’ve been focused in other threads, and didn’t mean to leave this one unanswered.
For launch, we targeted the most secure path possible for our users, who would be entrusting our NNS app and cycles wallet with holding value, while also not requiring any Personally Identifiable Information. We will continue developing for the most approachable onboarding we can manage while maintaining our security goals.
We have some more testing to do in order to make sure Windows biometrics start working without a security key, but otherwise a security key is the best solution for the security-conscious.
As for privacy concerns with biometrics, it is highly secure with the WebAuthentication standard. Your device signs with a private key, and the Internet Identity only stores the public key result from the authentication ceremony. We don’t have any ability to trace or identify your device apart from whether it is able to successfully sign subsequent credential requests.