it means it shows how poor the user experience was until only two years ago.

sure, you can use a passkey as a primary authentication, but only “a device” or “system”(keypass/1pass etc) knows the passkey detail. with only passkey, if my passkey provider/ device is compromised then everything is lost. having single factor auth seems like a bad idea.

a password is something that I can know, so is still useful as a protection mechanism. having two factor auth should include password and passkey, which seems entirely reasonable whilst also providing an easier path forward for people used to TOTP.