Why does this idea keep being perpetuated? Biometric auth is not "a picture of my fingerprint is the password."
Imagine a human guard tasked with authenticating people with a database of fingerprints. Someone comes up says that they're John Jameson, the guard takes their hand and makes an impression with some ink and paper and then compares it to impression they have on file for Mr. Jameson. Could you hack this system by lifting John's prints? Nope!
Why? Because the real trick to biometric auth isn't that your fingerprint is secret, it's that it's somewhere between difficult to impossible (depending on the metric) to produce a living breathing human with the same biometric readings as you. The strength of a biometric auth system is determined by how well it can determine that the reading it's taking is coming from a human. You don't ever have to rotate your fingerprint or your face because it doesn't need to be secret for these systems to work.
