I am not an attorney, and am not providing legal advice – just the advice of someone working in cyber security.
To my understanding, you can be compelled to provide your password. The issue of fingerprint is being argued – but it is terribly simple to obtain your fingerprint from any surface you have touched and use it to unlock your device. Although the issue of facial recognition hasn’t yet hit the courts, it most surely will. But as with fingerprints, is simply too easy to bypass.
I recommend not using prints or face to unlock your device. Instead, use a strong password (minimum 15 characters). For mobile devices, you can use as few as 6 characters if it is configured to erase after 10 failed password attempts.