I will say some things that aren't 100% correct, but they don't alter the fundamental message. I use FIDO2 a lot, so this is mostly from my own experience.
The FIDO2 process replaces the username, password and MFA. When you get to the login prompt, you simply click "login". You don't type anything in, at all.
The gold standard is to use "device-based" FIDO2, like a Yubikey or a Google Security key. The secret key is stored in the Yubikey hardware, and it can never leave the device (hardware restriction). As long as it never leaves the device, it can't be stolen. Most hardware-based FIDO2 devices require something physical to also be done (such as touching a button on the FIDO2 device, a fingerprint on the FIDO2 key, etc). Because of this, it is not possible to construct a phishing website with a pretend login, like you can with MFA. There is no chance of MFA fatigue. Only a signed message is exchanged using the server's key - so anything intercepted is of zero value.
Hardware-based FIDO2 is a considerable step forward in security (and cheap!) compared to username/password/MFA.
I recommend that companies use FIDO2 hardware to secure high-privilege accounts and valuable targets (like the C suite), such as Global Administrator accounts in Office 365, Google Workspace, SAML authentication for high-privilege accounts, etc.
The next step down is to use a device with a built-in hardware enclave, such as the Windows security enclave, Apple security enclave, etc. It is super strong compared to MFA and has nothing of value that can be stolen or intercepted. Your authentication information can never be stolen and sold.
Still a big improvement over username/password/MFA.
The next step down is "shared authentication," where the secret key is stored in a retrievable manner. My company also uses one of these for some systems. We SSO into the environment. A health check is done to ensure the computer requesting access is authorised to retrieve the key and is compliant with our security policy. MFA is also done. Once all of those checks are done (only needs to be done once per day, in our case), the secret key of the passkey is then released to perform the FIDO2 authentication.
The bottom of the run is a complete software only FIDO2 with no other security controls. There are almost no implementations like this. With usernames/passwords there is a risk of those being collected from a compromised website and offered for sale - you still gain protection against that, because the web site never has access to your FIDO2 secret key, so it does not contain enough information to be able to perform an authentication. Your authentication credentials simply can not be stolen.
But if the FIDO2 secret key was stolen from the actual machine/phone - then you are screwed.
Luckily, there are very few implementations like this.
