Yeah biometrics are not password replacement. The solution everyone uses today is "something you have (2fac device) + something you know (password)" -- the 2fac device needs to be a OTP generator, but you could even further secure this by requiring biometrics to generate the OTP (e.g. imagine a security key that refuses to acknowledge touch unless it senses your fingerprint).

Biometrics without the other two doesn't help anyone.