In 21 CFR Part 11, section 11.200 outlines the electronic signatures requirements, notably
(a) Electronic signatures that are not based upon biometrics shall:
[...]
(3) Be administered and executed to ensure that attempted use of an individual's electronic signature by anyone other than its genuine owner requires collaboration of two or more individuals.
We interpret this as notably requiring two administrators to reset a user password (otherwise a single administrator could reset the user's password on its own and then happily falsify away)
But when biometrics are used, the requirements appear much weaker:
(b) Electronic signatures based upon biometrics shall be designed to ensure that they cannot be used by anyone other than their genuine owners.
meaning that f.i. in the case of a fingerprint authentication, a single administrator could reset the fingerprints alone and then falsify away.
How did you implement that requirement? We are tempted to just ignore the (b) because it appears to be quite weak, and treat biometrics just like passwords.
While I am not a Lawyer, I would interpret this as the following:
Section (a.3) could refer to a guardian and a witness e-signing a document on a patient's behalf.
Whereas (b) clearly states that no one except the patient can use their Biometric eSignature.
Or,
(a) eSignatures based on UserID/Passcode may be used by others on the patient's behalf.
(b) eSignatures based on biometrics may not be used by others.
Or, for your example
(a) An eSignature based on UserID/Passcode can be reset, but require at least the resetter and witness to ensure that the reset it trustworthy.
(b) An eSignature based on biometrics may only be reset by the user.
In general, I would interpret (b) to have tighter use restrictions than (a).