Use WebAuthn as the second factor. Passkeys are a single factor authentication, and a downgrade from password+WebAuthn.

Depends on where you store them. If they're in TPM (like WHFB) it's two-factor (because you need the TPM itself, something you have, and PIN or biometric to unlock it, something you know/are). But if you're just loading keys into a software password manager, yes, it's single factor.

	▲	int_19h 2 days ago \| parent [-]
		At this point, we have passkey support integrated in both major desktop OSes (Windows, macOS) and both major mobile OSes (Android, iOS). All of them require both the physical device and either PIN or biometric unlock.