Security comes in three forms:
1. Something you know (passwords, access credentials)
2. Something you have (key, token, access cards)
3. Something you are (biometry, finger scans)
You can hardly improve on a single one of them. Requiring more or more elaborate forms of any does not really increase security sensibly. Brute forcing passwords or credentials is already pretty much a thing of the past. Requiring longer, more elaborate passwords do not necessarily lead to more security for more than one reason. The obvious one is, that you can NOT expect a human being to remember some bizarre character combination like d5Zn$2aUk%kR'snawP. What will people do? Note it down. Which turns security into a combination of 1 and 2, but an OR combination thereof. It's enough to EITHER know the password OR have the post-it that it was written on. The same applies to password vaults, where it becomes enough to have them, not know a password.
A good improvement of security means that you add another security group to the fold with an AND combination. Require a password AND a token. Like ATMs do, requiring your bank card AND a code. That it's not foolproof, well, ATMs are a good example why not. Coincidentally, a good reason just WHY they are not is actually lying in the fact that people, again, make the mistake of writing down their ATM code and storing it together with their card, reducing the security to a Model 2 only security. Which also illustrates why it is usually pretty pointless to create more of the same kind of security layer, because requiring two passwords only means I have to sniff two (being entered at the same time, meaning I get them at the same time), or requiring two tokens (because most humans store them at the same place, like the ATM card and the written down code).
So improving security can only mean requiring authentication from another group of the three. But ADDITIONALLY. Not instead of. Replacing passwords with fingerprint scanners (as seen quite often today, especially with laptops) does not really increase security by a lot. At least if we're talking about company laptops where the (currently) authorized user may well not be one anymore tomorrow. Though at least biometry ensures that the person entrusted with access cannot easily grant it to a third person, unless he is physically present.