As explained previously in the What is Multi-factor Authentication blog, authentication factors are typically divided into three categories--what you know, what you have and what you are. The typical phone is represented by:
What You Have
Most devices require physical interaction with the device for access. Since the device is portable, use of the device itself can be considered a factor. Someone must take possession of the phone in order to access information on the device. Typically, this factor is only defeated through loss, theft or legal compulsion.
What You Know
While most phones will still let a user run without a PIN or passcode, a PIN is considered a minimum bar for phone security. Someone must guess or otherwise discover the information in order to gain access.
However, it's worth noting that many people still choose weak PINs and reuse passwords. A password reused across all websites, for example, only needs to be compromised on one in order to be reused across all of them. PINs and passwords today aren't improved as much by being complex as they are by being unique.
What You Are
Biometrics have historically gotten a bad reputation because they're intrinsic and thus unchangeable. We leave fingerprints everywhere, and many (if not most) fingerprint sensors can be fooled by a sophisticated attacker who has lifted a high-quality set of prints. When this happens, the user can't change their fingerprints--the biometric is effectively defeated until newer, better technology becomes available. It would be like a front door where the locks were impossible to change, even after the key was lost.
For this reason, biometrics are a constantly evolving technology and often are deployed with four specific requirements:
Biometrics shouldn't be the only factor for determining access. You need to use one or both of the other factors in order to be able to 'change the locks' should a compromise occur.
Biometrics are typically deployed for convenience and transparency. The goal in this case is not to answer the 'who's there' question, but to increase your confidence that the user is still there.
Because biometrics can be compromised permanently, they need to be an optional part of the overall system security.
Because the risk is usually of biometrics being captured in a way that can be replayed to the system, biometrics typically need to stay private. The system that knows the biometric parameters can't be allowed to share them.
With respect to Apple's design, iOS devices require physical possession of the device for most access, and they require a PIN or passcode to be set in order to enable Touch ID or Face ID. The PIN or passcode are required on every reboot, as well as for performing actions that impact overall security such as installing a software update or allowing backups. Touch ID and Face ID are then used to allow access in lieu of re-entering the PIN or passcode.
With Touch ID, Apple keeps all biometric information local, and isolated into their 'secure enclave' which is basically a separate computer inside the CPU. All security actions now go through this secure enclave, including decryption of storage and use of cryptography. The software of this enclave is isolated so that even malware that otherwise hijacks the phone must still abide by the rules, and is prevented from seeing the biometric information. Apple has stated that with Face ID, their silicon design team that placed the "neural engine" facial recognition processing is behind this secure enclave to keep your biometrics private and safe.