When multi-factor auth is not multi-factor

For work I have a mandatory secure development course that includes a web security lab. PortSwigger has a broad array of details topics on web security covering the ones you'd expect but also advanced, newer topics like Web LLM attacks.

One thing I did learn was that, even though I have multi-factor authentication set up for AWS, it's not truly multi-factor. I use a password and a passkey but they both are provided by password manager using my fingerprint. It's very convenient though. Maybe I should continue getting a second factor from my phone's authenticator app, which is slightly more time consuming, but more secure.