For proper user authentication the model always used to be that the user should present three things: something they were (a username for instance), something they knew (a password), and something they had (a OTP from a device, or a biometric). The idea being that, even if a remote attacker got hold of the username and password, they didn’t have the final factor, and if the user was incapacitated or otherwise forced to provide a biometric, they wouldn’t necessarily supply the password (or on really secure systems, they’d use a ‘panic’ password that would appear to work, but hide sensitive information and send an alert to the security team).

Now we seem to be rushing into a system where you have only two factors, the thing you have, namely your phone, and the other thing you have, namely a fingerprint or your face. Notably you can’t really change either of those, especially your biometrics, so they’re entirely useless for security. Instead your phone should require a biometric and a password to unlock. The biometric being ‘the thing you are’, the phone ‘the thing you have’, and the password being 'the thing you know.

So, yes, I’m entirely against fingerprint unlocking.