> It's not, though. The passkey itself is strictly a single factor.
The passkey alone is not sufficient to log in. You must also provide a successful response to the WebAuthn challenge from an authenticator that has been registered/configured with that passkey.
> That's kinda the point, to reduce user toil.
It's almost as if letting people elect to enter their secure, never-written-down-anywhere-else passphrase would accomplish that.
Your passkey could have 2FA locally (e.g., a Yubikey with a PIN), but that is up to your discretion. It may be single factor.