This is the only part you keep missing. “Something you do” is not a factor. It’s proof of intentionality. It doesn’t need to be secure. When you use a biometric it makes intentionality and the “something you are” factor a 2 in 1 step for authentication.
The biometric is the key, presenting that biometric is the action of intentionality.
When accessing a bank typically you present your username (client id/card/username/etc.)
Then say “login”. Assuming you configured the best security on your account with your phone, They will do 1 of 2 paths:
- Ask for fingerprint - This Accounts for intentionality and 1 factor, The biometric is actually unlocking a private key stored on device (the 2nd factor) that is used in a crypto signing challenge. This is a 2 factor auth.
- Push notification - This is sending you an OTP of 2 digits you have to enter into the webpage. The numbers are 1 factor (something you know) once entered, you’re typically asked for a fingerprint which repeats the first path above. In total this accounts all three factors + intentionality and would be a 3 factor auth.
Both of these paths are a “passkey auth” or “passwordless auth”