Same thing, really, in this context. The biometrics are what uniquely identify someone (username, UUID, whatever). The password is what provides authorization. The problem is biometrics are being treated as both the identifier and the authorization.