Overall a good post, thanks for sharing. Longtime RF user, it's on all my devices.
This is not about Passwords or Biometircs,and which one is better. But the truth to minimizing security breaches, is to turn the internet on its head. I don't think it's difficult to implement, but will be very difficult to get past the advertisers greed, and their mission to monetize your private data; then turn around leaving it on the table for others to easily swipe. The money making system wants your data, and I believe that's the root of the problem.
The key is to stop (or minimize) collecting people's credentials and storing it on the host side, instead keep it stored on the client side. It makes it a lot more difficult to have access to large amount of personal data - it's wide spread and not centralized in one location to target.
Reducing the the value of the data stored on the host side, is key to reducing the appeal to steal it.
We have the technology to build it.