OK, I am starting to understand. Needed to read up on passkeys.

https://www.passkeycentral.org/introduction-to-passkeys/how-passkeys-work

I'm not yet sure if it is a good idea to skip 2FA when a passkey is used (Github does this for example). Also having your private passkey synced into Apple's iCloud (or similar) worries me a bit but I need to experiment some more to form an opinion.