Biometrics can be forced by police. Passwords cannot. The only time biometrics should ever be used is somewhat as a 2nd factor but better as a 3rd factor for systems that support it. Each one protects against different vectors of abuse. Passwords are known but can be shared. Biometrics can be forced but cannot easily be shared. Physical tokens can be forced or stolen. Many other so called 2nd and 3rd factor authentication mechanisms are utilized because they allow companies to uniquely identify you as a person, so those should be avoided. Phone based codes for instance allows them to tie what is usually just a random username or account to a real physical human identity. Zero trust should always be the goal.
Password, biometrics, and tokens together equal someone that knows something,has something, and that that actual person is present but it does so in a way that does not necessarily have to tie a real human identity to that account. Even the biometrics without significant additional information cannot be tied to a real humans name, address, phone number etc. But I also believe that only password should be a requirement. The rest should always be up to the user. There are legitimate use cases where people NEED to allow other family members access to their accounts. That is 100% the decision of the owner of the account, not the company providing the account.