Fingerprints are tokens, just like usernames and passwords.
Oddly enough, from a trust calculus standpoint usernames are not particularly valuable; we could do away with them entirely and the logic of authentication wouldn't change (though usernames add some very nice logistics that from a practical standpoint we don't want to give up).
At a very basic level, a single token suffices to authenticate: something you have, know, or are does prove you are who you claim to be (usernames just give a convenient handle to that). So, a 1TP from a fob, a password, or a fingerprint at a very basic level is enough.
Oddly enough, from a trust calculus standpoint usernames are not particularly valuable; we could do away with them entirely and the logic of authentication wouldn't change (though usernames add some very nice logistics that from a practical standpoint we don't want to give up).
At a very basic level, a single token suffices to authenticate: something you have, know, or are does prove you are who you claim to be (usernames just give a convenient handle to that). So, a 1TP from a fob, a password, or a fingerprint at a very basic level is enough.