It is a replacement for passwords not 2FA. If I understand it correctly it works a bit like those old SSH keys.

These are two files matched with each other. The server keeps one, and you keep one. If it matches, you are in, if not you do not get access.

There are other ways to make sure that the keys are correct e.g. certs, ip checks, additional passwords etc. The additional authentication when you use the key is the 2FA I guess.

1) passkey (something you have)
plus
2) password (something you know) or biometrics (something you are)