Voices, fingerprints and the like can easily be recorded. The reason why U2F keys are secure is because they work on the same principles as Bitcoin transactions, the server challenges you to sign a message, and only the correct key can do it, and the device does not expose sensitive data in the process. In the case of the YubiKey I linked, it won't even sign such a challenge unless the user explicitly gives consent by tapping it. Something like a trezor could go even further while still being convenient, but the YubiKey is inexpensive and 99% of the way there.