They are more of a second factor ("something you have") rather than a first factor ("something you know"). That being said, for the vast majority of people, the only attack they're worried about preventing is their phone being stolen then subsequently used to access their financial accounts, mail, or social media. This attack is handled well by FaceID, since if criminals are in possession of your phone and not your person, it's unlikely they'll succeed in unlocking your phone. On the other hand, if they are in possession of your person as well, then they have straightforward approaches to compel you that no amount of phone technology would protect you from.