Background: My team's mobile apps have biometric sign in (Touch ID, Face ID, fingerprint). You can enable and disable biometric sign in when you are signed in. You always have the option to sign in with username and password (and have to in many scenarios, if for instance your fingerprints on the device were updated).
The question is, say a user that has biometric sign in enabled goes through a password reset. There are two paths I can see:
A) Keep allowing them to sign in with biometric (Touch ID, Face ID, fingerprint). Password reset is unrelated to biometric sign in. B) Don't allow them to sign in with biometric until they have successfully signed in with the reset password.
I'm in camp B but I can't say why exactly beyond it feels more secure. Is there any best practice here?
If this question has already been answered somewhere, or this is not the right community, please point me to the right place :)
Thanks
Edit: I've noticed a few apps fall into camp A so I'm leaning that direction now. Still curious what others think though, or if I'm overthinking this ha.