Biometric authentication systems are increasingly deployed in security-critical applications, yet existing physiological and behavioral biometrics suffer from fundamental limitations: 1) they are vulnerable to spoofing attacks due to unreliable liveness detection, 2) biometric templates may leak privacy-sensitive information 3) intra-user variability results in accuracy degradation, and 4) it is difficult to revoke physiological biometrics and safeguard them over long-term use. To address these challenges, we propose BlowLive, a robust multi-factor biometric (MFB) framework that integrates blow-acoustic signals and facial biometrics as complementary behavioral and physiological modalities. BlowLive incorporates advanced spectral feature extraction and multimodal fusion techniques, achieving high authentication accuracy even for behavioral modalities. Instead of relying on conventional biometric approaches that utilize raw biometric templates for authentication, the proposed framework adopts a fuzzy-extractor–based biometric authentication scheme, wherein stable cryptographic keys are derived from inherently noisy biometric inputs and subsequently used for authentication. To defend against playback, synthetic, and deepfake attacks, BlowLive further integrates a novel Doppler shift-based liveness detection mechanism. We implement the complete BlowLive framework and experimentally evaluate its effectiveness using biometric data collected from 50 participants. The experimental results demonstrate high authentication accuracy (99.56% for blow-acoustics and 100% for facial and fusion modalities), robust liveness detection (99.42% accuracy), strong template protection and revocability, non-invasiveness, and high usability.