Eh, I kinda disagree. The ideas you outlined are similar to passwords.
Passwords can be stored to hardware tokens too, like the HSM in phones. Its used in apps like Keepass DX for database fingerprint unlock.
Passwords too.
Passwords too.
I think this stems from confusion around not knowing the differences between U2F, WebAuthn, challenge response, and passkeys, which is exactly what the article can clarify.
Its actually pretty simple. Allow me to make gross oversimplifications to present a rudimentary version. Assume your account is a box.
You can lock your box in different ways. With passwords, you essentially use a lock with one key. The service provider allows people to try keys to open boxes and may also know your key, which means there is a chance of them leaking your keys through improper storage or malicious servers (if its unhashed). You can also be presented with a fake box which reveals your key.
With Totp, you first lock your account with a key (your password) and also create an agreement with the service provider. The agreement is that unless you tell them the secret word, they won’t open your box even if you have the key (the shared secret for totp generation). But now both of you know the secret word. You can still be presented with a fake box, leaking your key and your secret word.
With passkeys, you lock your box with a special key. The key is made by you, then you split the key in two parts so that only they fit each other and no other key can copy them. Then you lock the box with your key and the provider takes the box away. They also take the other part of the key and attach it to the top of the box. Now if anyone presents you fake box, you will know since the key attached to the box will be wrong. Your box is still protected since only the part of the key you have can be used to unlock it. Since you made the key, the provider cannot actually ever know how to open the box, since they didn’t access or create any secret.
Finally you put the part of key you have into a box with a biometric lock, so that only you can open it or even access it, and this biometric box is the one you can store on device, on password managers, etc.
This means passkeys are something you know (the key attached to the top of the boxes) and something you have (the biometric box holding the other key). The best part is you don’t see any of this. You just click login and it happens voila!
Idk, maybe this helps. Imo passkeys can be adequately explained.