Authentication
MFA
Something You Know (e.g. a password, a PIN etc)
Something You Have (e.g. a smart card, a token, an authentication app code, an SMS message etc)
Something You Are (e.g. fingerprint, retina pattern etc)
Do use Multi-Factor Authentication (MFA) where possible
Don't use SMS authentication (as there are known vulnerabilities that allow redirection of SMS text messages to an attacker's phone)
Do use an authentication app (e.g. Microsoft Authenticator), a physical security token (e.g. RSA) or a physical presence device (e.g. Yubikey)
Biometric authentication has some drawbacks... your biometric data doesn't change (i.e. once someone gets your fingerprint data you are forever compromised)... if you accidentally damage your fingerprint (who hasn't temporarily sanded off a fingerprint?) you can't authenticate with it... if you were cornered by someone determined to access your account, would you rather lose your finger (or your eye) or your YubiKey?
Be aware of the difference between true MFA and multi-step authentication... an example of multi-step authentication would be entering a username/password then only being prompted for an MFA token if the password was correct... i.e. it's more secure if an attacker has no indication of which factor is wrong. Note that true MFA input can still be gathered in multiple steps, as long as there's a single validation step.
Bibliography
https://www.cisecurity.org/insights/blog/cis-password-policy-guide-passphrases-monitoring-and-morehttps://www.cisecurity.org/insights/blog/why-are-authentication-and-authorization-so-difficult
MFAhttps://www.yubico.com/ (YubiKey)https://securenvoy.com/Google AuthenticatorGoogle TitanMicrosoft AuthenticatorOracle AuthenticatorLastpassAuthyRSAFortinet