Security professionals have always distinguished three major potential factors for authentication:
- something you know
- something you have
- something you are (e.g. fingerprint / retina scans)
Part of the reason passwords have stuck around so long is that accurate and convenient enough biomarker device have been prohibitively expensive, and physical artifacts can be lost or stolen.
You can't put someone under sedatives to get them to reveal their password. To attack a password* you must coerce or trick a human brain into revealing it.
*Assuming various diceware-style caveats. Also, writing the password down and putting it anywhere other than a safety deposit box puts it back in the "something you have" category.
