I like passwords, I hope this passwordless shift is a bad dream. I don't like it being tied up with hardware crypto. At least it supports totp still I guess.

Passwordless is just not using a string for auth. Maybe that's a passkey (certificate auth), maybe that's a magic link (email), maybe it's a push notification, all that matters is you're not using weak static strings (passwords) to enable auth.

(customer identity and access management is a component of my work)

Most people's garbage was not worth more than a static string. Much of it shouldn't have needed an account at all.

This sounds like more administrative ask for end users who don't actually care about your service that much (and transitively their account on your service.)

Right, passkeys seems like what everything is going to shift to, and is more what I meant.

Interesting, because for the longest time it bugged you with popups asking to become the default password manager.