I’ve seen OP confused by a couple of replies so I’m going to give it my go:

I’d like to send you a HUGE amount of money, but I want to be insanely sure that it’s actually you and not an imposter. An easy way would be to meet up and hand over the money, but I’ve never met OP before and I don’t know what they look like. All an imposter would have to do is know OP’s username and id give them the money, I have no way to verify it’s them otherwise.

Well, what about a secret code word? I know OP’s name, so when I meet up with them I can not only verify their name (publicly available to anyone), but also the secret code word we came up with via private message. That’s waaaay better, but someone could still find those messages, read them, and walk away with the money.

So now what? Well, what if we placed our trust in an irrefutable database – like ID cards? What if I was able to go to the government before we’ve ever met and get copies of OP’s driver’s license and vehicle registration? When they pull up, I can just look at all of the details of the car they pull up in, and see the details on the driver’s license to see if it matches up to the person that gets out. That way, I can be super sure it’s you without even asking you a question and the money is definitely going to the right person.

The way this translates to this situation is that the first paragraph has no protection, the second is a password, and the third is passkeys. Passkeys are different from passwords because trust is established BEFORE the sign in process – the site you’re trying to sign in to registers with your phone during initial setup or rollout of passkeys. Once the trust is established initially, all the devices need to do is talk to each other to confirm your identity, no need for you (or an imposter) to screw up and misidentify you with an insecure password or loose lips 2FA code.