The villain is locked in in a room which requires a retinal scan from the guard to leave. So he proceeds to stab the eye globe of the guard with a pen to be able to unlock the door.
As such I tend to prefer cloneable credentials. Everything that is unique (cellphone, ...) would imply that access credentials could be stolen (as in, actually stolen, not copied), which could imply the threat of violence to succeed.
I would much rather someone attempt to steal my phone irl, as opposed to someone on the other side of the globe cloning my method of accessing my accounts without me even being aware until it's too late.
To clarify, this wasn't meant as an attempt at a "tough guy" acting. If someone tries to coerce my phone out of me irl by threats of violence, they will get the phone. But this being done irl at least has much easier path to being able to trace the criminal, actually prosecute them, and to minimize the damage to my accounts.
Not even mentioning that it is much more risky for them to attempt, given it would have to be done somewhere around a public place with other people and law enforcement around. Meanwhile, some guy from an eastern european country cloning my access credentials to compromise my accounts will almost certainly never be traced, and 100% won't get prosecuted (and that's on top of me not being able to be aware of that happening until after the fact).
