Passwords do need to be eliminated, but all the ideas you've cited as replacements are wrong. Passwords are not expensive to change. But they are prone to weak choices, compromise via reuse, and (most importantly) social engineering into disclosure to the wrong party (this encompasses phishing and a lot more).
Biometrics are not secrets whatsoever, and are not "something you have" unless you have a locally trusted digitization device whose sensors can't be tampored with to feed in prerecorded data. In the absense of that, they're a "something you know" that happens to be something everybody knows, and thus completely unsuitable for authentication. There is a trend to use tamper-resistant hardware to unlock the actual (non-user-facing) key/token stored inside it in response to biometric measurements (fingerprint and facial unlock of phones, etc.) but these are all defeatable with laughably bad fakes.
PINs work in a somewhat similar way, as a mechanism to unlock the real key/token, but use the tamper-resistant device to throttle against brute-forcing, so that you can get away with much shorter/simpler "something you know" secrets. These are less trivial to defeat, but still not strong. There will essentially always be attacks to bypass throttling or to extract all the data, at which point it can be quickly brute-forced on another machine.
The right replacement for passwords is public key authentication, with the private key held in an isolated device (something you have) and protected by a passphrase (something you know). The only difference between this and PIN is the strength that the word "passphrase" is intended to convey: the derived symmetric key used to encrypt the private key is sufficiently strong that, even if device is stolen and all data extracted, it can't be brute forced. Users of such a system must know never to enter the passphrase anywhere but on the isolated device, and to revoke and regenerate keys if they suspect the passphrase has been disclosed.
