Teach the phone software to tell the difference between a living person and an image. How do you change the YOUR FACE password when someone figures out a large enough picture opens your devices?
The secondary password stuff is the primary and has been for a very long time. Stop giving everyone your bio-metrics.