A number of things. The key is stored on and accessed by a separate coprocessor from the CPU, so the CPU doesn’t even know the private key. That takes its own protocol, over i2c, usb, Bluetooth, etc. Then the browser has to coordinate that protocol to communicate with the web protocol from the frontend JS. There’s also the concept of server verification, so it’s a more complicated handshake than just one signature going one way. Then, of course, there’s the inherent complexity of public key cryptography in general, but you only need to worry about that if you’re writing it from scratch with no library.

From a basic web dev perspective, it’s not much more complex than a password, but that’s because the complexity of the protocols is hidden behind the libraries. A password actually isn’t complex, even when you remove the libraries.

(The private key does not have to live in a separate coprocessor, but that’s the most secure method, and the one covered by the protocol.)