So I woke up with a really stupid realization: for at least several of the ‘something you are‘ mfa methods there is nothing that requires you to be alive.
That is, why worry about a victim’s thumbprint lock: just hack the thumb off, press it to the sensor, et voilà! Okay, so I am a touch slow when coming up with the exceptionally obvious attacks.
One of the key things to security is to regularly change your password/key/whatever, because the longer you use the same thing the longer an opponent has to defeat it. Hard to do if, say, your key is your unique heartbeat signature. Keeping in mind that, once digitized, it’s a password.