The article is, unsurprisingly, light on detail, and the proposal doesn't have a great deal to do with the headline. The spec at W3, at least from a first skim, is a lot more informative.
This is absolutely *not* about random web-sites using your biometric information (or some magical hash thereof) as authentication. It's about using your biometric identification, or some other MFA, to unlock access to the credential store - something like Lastpass, Keepass, et al.
When you register with a site, you and the site generate authentication keys. You swipe your fingerprint, insert your USB magic-key, or whatever to unlock the secure key store, and your authentication key is stored - either in a secure enclave, or encrypted with a totally local key that's stored in the secure enclave.
When you go back to log into that site again, you're prompted to complete the same ceremony again to unlock the key store and retrieve the material you prepared earlier.
There's some more details on top of that to make sure that:
-the site asking for your credentials is the same site you registered with
-the site can *only* ask for the credentials associated with it, not convince you to swipe / insert / whatever and go fishing in your key store for other useful credentials
-the credentials are generated correctly to have lots of length and randomness in so password-style brute-force or rainbow tables aren't applicable
and the authentications are encrypted challenge / responses, rather direct exchange of actual key material, so you try to avoid replay attacks and the like.
The only place your biometric info is ever used (if you want to use it as one of your factors) is to unlock your local key store. It's never sent across the network.
I'm nothing like enough of a cryptohead to say if the details of the proposal are right or solid, but it doesn't seem insanely wrong, and it's certainly not "OMG everyone now has my fingerprints instead of a password!"