Both protocols, FIDO UAF & FIDO U2F, rely on the use of public key cryptography for authentication using hardware devices as so called authenticators on the client side to generate cryptographic key pairs. The private key is stored securely on the user's device and never transmitted over a potentially insecure channel (i.e. the internet), while the public key is supplied and stored by the relying party. Through the use of a challenge-response mechanism, relying parties issue challenges which a client must respond to by signing the challenge using the private key stored at the user's device. To do so, an end-user employs the biometric capabilities of her device (a face scan or a fingerprint) or - where unavailable - a PIN or a passphrase - to locally unlock access to the private key on their authenticator to create the digital signature. Biometric data (or PINs/passphrases) are also never transmitted over an insecure channel making this procedure an inherently stronger and more secure method than using passwords.
This is also where the term multi-factor comes into play: an authentication factor can be conceived of as a category or type of authentication credential which is used for verifying that an entity is who it claims to be. The three major factors are:
The provision of biometric data (something you are) or a PIN (something you know) to unlock the private key on a device (something you have) ensures usage of at least two factors thus lowering the overall chance of an unauthorized entity being able to provide both factors at once.