You are right and you are also right that people get confused about the distinction but (IMO) not quite in the way you think.

All access verification methods are about whether you have an access to some resource, be it a broom cupboard or a nuclear launch button. User identification is only secondary, on the principle that since juiceme is on the list of users who can enter the broom cupboard, once you identify a user as juiceme you can grant him the access.

There are three methods of access verification, based on something that you, in a decreasing level of security,

1. are (the guard at the secret vault door recognizes you as the king, so he lets you in)
2. have (a passport, an ID card, a key...)
3. know (some piece of information that only select few know, e.g. a password or a pass phrase)

In the electronic age, various biometric entry methods (fingerprint, iris scan, facial recognition) fall under #1. A key card, microchip etc. would be #2. And finally, a password is of course #3.

There is nothing special about passwords. They are nothing but a way of checking that someone who claims to be juiceme really is juiceme, by prompting for a piece of information that (hopefully) only juiceme knows. But passwords are easy to share and thus are the most convenient for when you need to give access to many people simultaneously, including when that select group changes dynamically. But for the same reason, passwords are by far the least secure authentication method.

Passports, ID cards and keys are more secure for the simple reason that they are more difficult to copy. Not impossible and they can be lost or stolen but still less easy than passwords. But they are not very practical for granting access to resources that are a similar size to the key itself, such as a mobile phone.

Biometric identification has the potential to be the most secure. The guard letting only the king in would not be easily fooled and really only let the king in. And so it is with fingerprint, iris or facial recognition - at least in theory. But unfortunately the technology available to the likes of you and I still has some way to go, as you correctly point out. So, at least for the time being, the least secure method (the password) remains, ironically, the most secure. Hopefully not for long.