Passwordless solutions might be convenient in many situations but they aren't a panacea. They are not always more secure than passwords and create issues on their own. Typical examples:
- Your fingertip can be easily pressed against the reader by force, against your will. You can even be unconscious at that time. Bandits or security services in some countries, doesn't matter.
- SMS messages as a the second factor can be easily intercepted on the phone service provider level (again, by state security services or by corrupted provider employees). Also there are plenty of trojans for smartphones covertly intercepting SMSes from popular banking services.
- Push notifications in authenticator apps depend on phone Internet connectivity that is not always available. A typical example: a technical fault at the phone provider side, travelling abroad where roaming tariffs are too high or another compatibility/connectivity issues are present. In addition, the phone can be physically damaged, lost or stolen, which would create a major problem for at least days.
All in all, passwords have their drawbacks but it's the secure enough and always working mechanism under condition you use them in a right way. Regarding passwordless solutions, there is also a rule that never should be ignored: they should be two-factor, and the second factor device must be physically different from the device where you're trying to log in. Of course, it's always good to implement the second factor for passwords as well.
Microsoft