If the card outputs "yes" or "no" you are creating new security incidents just waiting to happen - proxying, oracular attacks, faux cards that respond improperly to the binary question, etc. This means that your system is actually two factor, a pin and biometrics. A pin is extremely weak, and for sure biometrics need to be designed and implemented properly.
Also, notice the other subtle dependency that was introduced with the PIN only kept on the card - the PIN might as well not exist.
This is all known. The issue isn't how to design a security system. The issue is the fly by the seat of the pants lack of security with deadline driven products. Those products only appear to implement a feature set and really don't work, just appearing to work in order to achieve the release exit criteria of a minimum viable product. This gets compounded by products hardly ever revisiting their earlier phases, choosing in this case to add new web features instead of hiring a security team.
Also, notice the other subtle dependency that was introduced with the PIN only kept on the card - the PIN might as well not exist.
This is all known. The issue isn't how to design a security system. The issue is the fly by the seat of the pants lack of security with deadline driven products. Those products only appear to implement a feature set and really don't work, just appearing to work in order to achieve the release exit criteria of a minimum viable product. This gets compounded by products hardly ever revisiting their earlier phases, choosing in this case to add new web features instead of hiring a security team.