The Samsung Galaxy S3 has face recognition. It can be unlocked using a photo of the user. Google Images search, point cam at laptop, bingo you're in.

They "fixed" this in JellyBean.

too many false positives.

Now, an SD card with a certificate plus face recognition might be ok ;-)

Why an SD card? The phone itself is already a portable device you control.

It depends on the app but at least in the areas I work (business apps relating to tracking money) I wouldn't assume that device authentication is sufficient.

But for biometrics, keep in mind that biometric systems are currently seen as the most subject to false positives of any authentication system out there with the possible exception of improperly maintained and insufficiently strong passwords.