They only require it if you already support other third-party authentication methods in the app. If you exclusively use your own authentication it is not required.

Sign in with Apple is pretty good and it doesn't ask you for a password, and you confirm with the power button/faceid if I'm not mistaken. It's very hard to spoof.

That one's easy, Apple is not yet mandatory.