Short answer: token MFA is required, passkeys are optional, but highly advised for maximum security and convenience.
Long Answer
Idk how technical you are in the context of authentication security, but passkeys are different from FIDO2 credentials. FIDO2 Creds are the pub/priv key protocol you’re talking about.
Passkeys are a specific implementation of strong authentication. They’re powered by FIDO2 credentials, require 2 or all the factors of MFA, and require proving intentionality (intending to authenticate)
There was a discussion on another thread where I go over this in more detail