You're confused because the post you're reading is conflating a bunch of different things.

The scattered spider attacks do involve a MFA social engineering attack, but it's NOT connected to consumer accounts that you would use to log into the app.

Scattered spider is targeting EMPLOYEE accounts that are used to login to backend systems, not the website or app front end. All of this discussion of this hacking group is completely 100% unrelated to this thread.

FWIW, depending on how it's implmented, faceID is not really a form of 2FA. In a true 2FA system, you need two factors. Usually this is a password and a code, the code can be generated by an an app like google authenticator, or by something like a hardware token, or it might just be texted or emailed to you. But you need both.

In most FaceID app systems, you're just substituting the FaceID for a password. A 2FA system might be used in addition, or maybe not. But you don't NEED the face to get into the account if you actually have the password. It's just a convenient option.

Passkeys are a different thing, that can be secured by faceID, but the use of FaceID in the delta app doesn't involve passkeys.