I don't see the fundamental difference between stealing/spoofing someone's biometrics vs. their secrets.

Both are bits of data stored in the body (including mind and pockets) that suggest the owner is giving consent.

They both have flaws, but what are the alternatives?

The bios represent identity.

The mind provides authority.

Use both!

But don't mix them up. The mind is more secure than the body because information cannot be forcefully extracted from the mind. Yet.

I think a better solution for authentication is a combination of a cryptographic key or seed and a passphrase held in the mind. Keys could be provided by an NFC ring or smartwatch, which should be more difficult to lose or have stolen than a phone.

Bitcoin has a nice solution for cryptographic keys with BIP-32/BIP-39. You use a single master key to deterministically generate all others via a HKDF. The single master key is produced from a 12/24-word phrase plus an optional passphrase.

A good opsec for bitcoin is to have several copies of a phrase (which can be etched into stainless steel), so there is no single point of failure if lost/stolen, and you can use several passphrases for different wallets, which you don't write down anywhere.

You can use a word phrase with no passphrase in a "decoy" wallet and monitor on-chain if any bitcoin are spent in it. This would alert you that your seed phrase has been compromised but would not compromise your passphrased wallets.

To replicate this kind of decoy with passwords, you could store a login for some service which emails you if anybody logs in.

The decoy method also provides plausible deniability. There is no way to prove that there exists any other keyrings with other passphrases, and there is also no way to prove that you have provided every possible passphrase, even if you have provided all of the ones you do use.