Abstracted across a network, most biometrics implementations can still be boiled down to the category of "something you know". For a discussion of how that happens with "something you have," take a look at How is "something you have" typically defined for "two-factor" authentication?.
Biometrics suffers from a problem where once a credential is compromised, you can't change it. There are also some rather amusing compromises against fingerprint systems. Biometrics are great in certain areas, but logging into my bank account with a generic device and no password is not one of them.