> Authentication ie can this person do this thing
Nope, that's authorisation. You have a database saying (this identity) can do (this thing).
Authentication is when a person claiming to be (this identity) can prove that they are. Nothing more.
Setting that aside: you're proposing that claimed identity should come from biometrics (fingerprint, facial recognition etc), while authentication should come from some other factor (password, smartcard etc)
That's certainly better than taking both identity and authentication from the biometrics. But there are advantages in doing it the other way round.
For example, if I can prove that I hold the token which identifies me as J Bloggs, then the fingerprint or face scanner only has to do a comparison against the stored details of J Bloggs, which it can do quickly and accurately and with tight tolerance.
If I use my fingerprint as identity, then the system has to first look at my fingerprint and compare it against all the possible fingerprints which might be in the system, hoping to find one which is a close match to a single person but with sufficient rejection of everyone else, before proceeding.