In my opinion, authentication is a matter of risk reduction (on both sides), not of perfection. The idea is to increase the certainty that a visitor is who they say they are and that they can trust a system. So, each “factor” in “multi-factor” authentication is there to mitigate a specific kind of authentication fraud for a certain amount of effort.
What they know (secret/password)
A visitor gives evidence that they are who they say they are by communicating a pre-arranged secret(s). To “fake” it, an attacker has to have stolen the knowledge from somewhere else.
Implementing a password is usually a simple technical task and well understood by the community. It’s akin to locking your car door and most users feel comfortable that it helps make them safe.
What they have (phone/email/SMS account)
A visitor has in their possession something that is usually only associated with the user they claim to be and they have “free” access to use it. To “fake it”, they have to have stolen the thing physically, cracked its security and received the message outbound from the system. If all devices of a user have this, the attack must be simultaneous on multiple systems.
Requiring possession takes a little more technical effort than a password and is akin to requiring a key for your car.
What they are (biometrics/face/fingerprint)
A visitor appears to be biologically the same as the person they say they are. To “fake it”, they have to have enough knowledge of the human’s physical attributes and control over the measurement apparatus.
Some cars have fingerprint sensors to open the doors much like a key. Others have digital passwords (PIN).
Who they know(social)
A visitor is vouched for by another previously authenticated user. To “fake it”, an attacker has to convince another person that they are “the real version” of the person. Humans are pretty good at detecting each other and whether someone pretending to be a relation is actually one.
This takes more technical skill to pull off and is akin to having a “garage manager” retrieve your car for you or a co-driver.
How they behave (UX analysis/key logging/access patterns/etc…)
A visitor must perform a task and that task is measured against prior behaviour. To “fake it”, an attacker has to know enough about a person’s prior interactions with a system to duplicate them.
This is by far the most difficult to implement technically. Having to perform such a test every time you got in your car could be onerous but is implemented for things that have higher consequences (e.g. pre-flighting or taxiing a plane where the performance becomes evidence of fitness to fly and multiple “experts” have to participate in granting permission).
So, while each of those measurements of authenticity can be spoofed, together they become very difficult to defeat. Difficult, of course, but not impossible.
Removing factors of authentication simply removes assurances and increases risk due to fraud. Risk of fraud has to be balanced against other factors as part of a security judgement by both users and operators.
The art of security UX is gathering assurance and making accurate statistical judgements without irritating or alarming the user. The more important security is to a user, the more likely they are to pay a premium to a service that demonstrates that it takes their identity seriously and artfully determines who they are.
If, for the specific users a CISO has, both sides feel that shared secrets (passwords) do not provide meaningful assurances (e.g. because biometrics also better assurance and better UX), while the others do, then that’s a risk call for them to make and it’s fine to do so.
IMHO, dropping a password is ok if there are enough other factors at play and users feel comfortable.
Hope this helps!