Since passwords are shared secrets, they are vulnerable. The principle behind FIDO2 and WebAuthn is to use public-key cryptography to replace passwords. If the database containing user credentials is compromised, attackers can only get the public keys, which are worthless without the corresponding private keys. The private key is kept secure on the computer, while the server keeps track of the public key and issues challenges to the authenticator.
Public-key cryptography is used by all FIDO authenticators. During authentication, the user verifies his identity by demonstrating that he has a private key to the relying party/web application/web browser. The relying party may also use attestation to ensure that the authenticator used to produce the private key is reliable. The authenticator's private key is safely stored on the computer and can't be stolen. The public key, on the other hand, is sent to the server. Under the challenge-responses-based protocol, the user must prove to the server that he has the private key if he wants to check his identity.