From a privacy perspective, why is collecting biometric data for authentication considered higher risk than password-based authentication?