Hi Saveen, I do iOS things around here 
You’re spot on regarding the Touch ID API – must be via SecItemCopyMatching
so that we’re actually unlocking something from the enclave (and thus can’t be hooked out on a jailbroken device).
For example for payments we’re looking at Touch ID with ATM PIN fallback. Touch ID would unlock a server-generated token to authorise the payment that would be updated on each use. The server has the option to challenge for either the token or the PIN, and the latter can be used on devices not supporting Touch ID.
As of iOS 9 you also get neat things like kSecAccessControlTouchIDCurrentSet
, which means that if an attacker changes the registered fingerprints on your device, they still can’t impersonate you, as the token is encrypted using the previous set of fingerprints 
In terms of multi-factor auth there are lots of cool things for us to evaluate (biometrics, taking selfies, etc.) along with more mundane things like client certs, SMS, etc. Watch this space!