The “something you have” is the key stored in the secure enclave/yubikey/whatever. That’s the real authenticator in this scenario. That it’s (maybe) unlocked biometrically is nice, but secondary.