[cxmcc]

passkeys are often 2 factors but not necessarily something you know, examples:

- with macbook fingerprint sensor: something you have (private key on your device) and something you are (fingerprint)

- with yubikey without fingerprint: something you know (passcode, hopefully required) and something you have (private key on yubikey)

- with yubikey with fingerprint sensor: something you are (fingerprint, falling back to passcode which is something you know) and something you have (private key on yubikey)

[tunesmith]

But that's the whole point - yubikey with fingerprint, or any combination of things that exclude "something you know", opens you up to a whole set of vulnerabilities. Like "legal snooping"; that can't be done if you're protected with "something you know".

[cxmcc]

you can choose to use something you know with passkeys if preventing legal snooping is your priority.