Private keys are backed up via iCloud Keychain (on iOS) and Android KeyStore (on Android). Both are encrypted systems and are the backbone of Apple and Google password managers, respectively.
On the device, private keys live in the phone's secure enclave, usually backed by a hardware security module. When you get a new phone, these keys can only be restored when you set up the new phone from a backup of your old phone - thus, the security of the private keys in the Keyri system is on par with the security of Apple / Google password managers as well as smartphone cloud backups in general, which is pretty good.
Other authenticator apps, like Google Authenticator, Duo, etc. use these same backup methods. Others, like Authy, maintain their own cloud backup systems.
That said, I agree cloud backups are not ideal, but I think they're necessary to maintain a smooth UX for most users. Our SDK provides developers the option to disable cloud backups and instead enable QR code backups, which allow users to export their private keys onto a QR code that they can print out and keep somewhere safe, like where they keep their passport.
In case biometrics fail, (1) we give developers an option to enable a PIN fallback. Some apps like Credit Karma do this today. (2) Companies can have their own "I lost my finger" customer support process and allow users to reset their credentials upon approval. I suspect that process will see less traffic than "I forgot my password", so it should (a) cut down on CS costs and (b) make it easier to detect social engineering attempts.
Giving all my login information to a third party seems like an awful idea. How are the keys secured from Google and Apple?
What is the contingency plan for logging in if your biometrics change? People lose fingers sometimes.