"Something you have" is far more useful, especially if that something is itself cryptographically-based. Yubikeys, RSA fobs (generating one-time codes), and wearable NFC tokens (rings, amulets), and the like, which may be autheticated in part based on biometrics and other attestation, but are themselves revokable, would be a far better standard.
What the General Public can be expected to utilise willingly and effectively seems to be the larger problem, as well as what commercial and governmental standards are established.