I am wondering if you need strong 1st factor (for theoretical correctness, please note it is the knowledge factor -- not necessarily a password, but definitely also includes strong passwords)?
What use case would be that to have strong first factor?
Why can't we have a combo of 2nd (what you have, device ) and 3rd factor (what you are, bio) and do away with 1st factor ? What is that keeps 1st factor live and kicking in day-to-day secure transactions?
Breaking a knowledge factor have a theorical cost we can easily assure beyond human capability (a password with 12 dicewares words will never be unhashed using unbroken 256bit hash), if we exclude human vulnerability and implementation vulnerability (and the fact nobody use a 12 words password) this is a perfect security and provable as is. (as long as we can't read human mind at least)
Bio security isn't a theorical identification it is using natural part of our identity we are now able to read but not reproduce. (your print, ADN and iris aren't prvate everyone can access them). You can't determine how secure is your authentication, you can say it need a really hard to produce device to fool your system but you still have to admit this device can be build. This is just adding technical difficulty to break your authentification process not a assurance of security.
Part of the problem with (the current state of) biometrics lies in the assumption that everyone has two eyes, or possesses thumbs, or somesuch.
This isn't a frivolous objection. I once worked on a project using fingerprint identification for medicine delivery in sub-Saharan Africa. We ended up needing to implement a password alternative due to the number of people who didn't have enough readable fingerprints -- largely due to missing hands/fingers -- for the system to identify them.
Can an iris scanner identify someone with burned/missing/replacement eyes? Not relevant to you, probably, or anyone reading this question, but system designers need to think of these things when assuming 100% availability of a given biometric.
Though generally weak by constraint of human mental capabilities, knowledge-based authenticators have a unique property which the other two do not. That is, without technologically compromising the target client or server system (at which point n-factor authentication becomes fairly moot anyway), it requires a conscious effort on behalf of the owner for a knowledge factor to be disclosed to an attacker.
Your keys, ID badge, or other physical access tokens can be physically obtained by anyone within reach of them. This may take a moderate amount of effort on the attacker's part, especially to do it covertly. But, in the grand scheme of things, obtaining physical possession of most objects which are useful and convenient as access tokens is a fairly trivial matter.
Biometric data is even more trivial to come by. With today's technology, most convenient and affordable biometric authentication devices are still fairly easy to fool. And you're constantly spreading your authenticators everywhere on every surface you touch and in every photograph taken of you.
"Something you know", on the other hand, remains exclusively yours until such time as you personally choose to disclose it to a person or device. If you're properly storing a knowledge-based authenticator (that is, only in your head), it is nigh impossible for anyone to steal it against your will.
Nobody can simply snatch knowledge out of your purse, or lift it from a doorknob. They won't find it by combing through your Facebook pictures or rifling through your wallet when you're not looking. Your mind is yours alone, and it takes very extreme measures - especially compared to these - for anyone to take anything from it that you don't want them to.
Relevant XCKD:
Playing it out a bit further:
2: Oh wait, we need his smart card!
1: Found it in his laptop bag.
2: And fingerprint?
1: Probably want to lift that before you break his fingers.
2: Okay, but I don't think he's gonna break.
1: Everybody breaks.
2: He says his name is "Jack Bauer".
1: Blast! Our evil plan is foiled!
Well i think the biggest con is that the 3rd factor is either very expensive (iris scans, good facial recognition) and has some downsides. One example is a user who uses his fingerprint to log-on but he cut himself, the system doesn't recognise his print and refuses access. This is why you still can logon with a pin-code on the newest iPhones.
