Yeah, unfortunately the point of passkeys is to replace multi-factor authentication. Usually you have a username+password as the primary factor, and a secret that's hard to copy and replay as a second factor (TOTP, non-resident WebAuthn credential/FIDO, SMS code). Passkeys replace the primary factor with a signed challenge, but the second factor is up to the authenticator (such as biometrics). WebAuthn relying parties verify that the authenticator is locking the primary factor behind the second factor, and they do that with attestation.
