[lxgr]

Passkeys can absolutely constitute two factors. At least the iOS and Android default implementations back user verification (which the website/relying party can explicitly request) with biometric authentication, which together with device possession makes them two factor.

[FreakLegion]

That's not what two-factor means. Forget about passkeys -- if you use a password manager, and that password manager has a biometric lock, your accounts don't thereby have a biometric lock as a second factor. The transitive property doesn't apply here.

[lxgr]

I’d say it does apply transitively, but only if the weakest link itself is also strong enough, and passwords are not.

[UltraSane]

And even a passkey on a phone that doesn't require authentication is immune to remote phishing and cloning.