Fingerprints are not private though, so they fail your very first criterium of passwords. Fingerprints are also not arbitrary[1], it is possible to combine two (or more) fingerprints resulting in a new "fingerprint" in its own right, as well as being a fingerprint that is similar enough to the two (or more) original fingerprint to have a high chance of fooling most sensors on smart phones for all fingerprints involved. Also, uniqueness vs. arbitrariness smells like a false dichotomy to me. Something can be both arbitrary and unique (see for example uuids).

[1] - https://www.nytimes.com/2017/04/10/technology/fingerprint-se...