Google is going to take action against the proliferation of relatively unsafe face and fingerprint scanners in Android. From version 8.1 every device that has not been used for four hours and uses this technology must still be unlocked with a pin code. That is what Google says in its own Android blog.
Security in the code
The reason they will do that is that a BiometricPrompt API (code) will be added to Android so that developers can use the authentication capabilities of a device within Android much easier. That API can only be used with your phone if your scanner is on the ‘safe’ side.
On top of that comes an extra safety measure, which is completely independent of how safe your scanners are: every 72 hours a pin code has to be entered. It all together ensures that the security in Android is a lot harder to circumvent and that if there are apps that use the authentication, that can only be done if your device allows. For example, Google has left the possibility to allow weak security measures on hardware, without running the risk in their apps.