I'm strongly in favour of very-near-field chips, at < 1cm range preferably. In a wearable form factor, these are replaceable but difficult to misplace or lose.
https://www.yubico.com/start/meet-the-yubikey/
Works virtually anywhere (Except iOS) since it's a "keyboard" that generate a one-time-password for verification. And it also have NFC built in on the better keys.
The auth itself is query-response, replay attacks don't work.
I would not use it for authentication against the missile launch system, but my ex will probably not chop of my finger to access my Facebook account, nor will random bots trying to access my Gmail account.
Biometric data is a form of identity, as is the combination of username and password. Different forms of identity have different security trade-offs and removing nuance by comparing it to a single component of different form of identity is always counter-productive. Biometric authentication is its own thing with its own security characteristics that need to be understood outside the context of what we know about usernames and passwords.
Therein lies the issue with Biometric data being both username and password, for the most part. That most of the data is easily replicable aside, the fact is that you cannot control the cycle of your "credentials regeneration" since you're tied to the aging process. On top of that, the regeneration is even fairly predictable with current and past technology, and even non-technical solutions could accurately predict the physical changes in a person as they age.
Biometric data is a matter of convenience, not really security. Combine with an additional password, it at least serves the role of a Username well. For low-value items, it can make sense, provided proper pre-cautions are taken for actually sensitive data. (e.g., unlocking your phone is fine provided that sensitive data is protected with additional precautions).
The hard part is making that look and feel like "login with a fingerprint".
That part of this appears to be MS and Google demonstrations of using biometrics to unlock what is essentially just an OS password manager for U2F keys, which wouldn't even raise an eyebrow if found in today's Android or iOS.
[1] The relevant part of the spec: "In order to provide evidence of user interaction, an external authenticator implementing this protocol is expected to have a mechanism to obtain a user gesture. Possible examples of user gestures include: as a consent button, password, a PIN, a biometric or a combination of these."
https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-cl...
What happens when you use iOS's password generator and manager and you lose or break your phone? Or the same but with LastPass?
You've either synced it or you lose all your passwords.
Another worry is that this sort of approach will effectively hide the authentication mechanism from the user. So while I may make the choice to use notional biometric login to a Facebook app on my phone, knowing all the risks and compromises that come with having a Facebook account, I may not wish to use a Facebook login for other authenticated services unrelated to Facebook (when I'm confronted with the option to log in with Facebook, I always choose the other option, whatever it is, even if it's "give up on using this system/service").
Personally, I'd be more inclined to go this route (hardware key versus an app on my phone that uses my fingerprint or a facial scan).
[0]: https://www.yubico.com/2018/04/yubico-rsa-2018-passwordless-...
