I've never understood why anyone would be comfortable with Face ID or Touch ID given all the possible attacks. Just use a PIN. You'll end up knowing it as a kinesthetic reflexive action anyways.
On GrapheneOS you can use a long passphrase for your primary unlock which you have to enter after a restart and for changing important settings, and a fingerprint+pin for 2fa as the secondary unlock. This is a great balance imo.