I'm not a security expert, but I have an opinion on passkeys: I think we should stick to using them only for 2FA. At least for any site where the security really matters.
In my mind, a passkey authenticates the device, while the password authenticates you, the user. Passkeys let us limit which devices are allowed to connect with our credentials. A hacker in Eastern Europe could steal my login, but if their laptop isn't authorized, it makes an account takeover much harder.
(Side note: This is also why I'm uncomfortable putting TOTP codes and passkeys in the same password manager as the regular login credentials. It effectively defeats the whole purpose, turning multi-factor authentication back into single-factor again.)
Criminals love getting persistent access to accounts using Passkeys because there's a large populous that do not understand what a Passkey is or does or review if they have any, and even if they have an unauthorised one created, do not do anything about it.
In my mind, a passkey authenticates the device, while the password authenticates you, the user. Passkeys let us limit which devices are allowed to connect with our credentials. A hacker in Eastern Europe could steal my login, but if their laptop isn't authorized, it makes an account takeover much harder.
(Side note: This is also why I'm uncomfortable putting TOTP codes and passkeys in the same password manager as the regular login credentials. It effectively defeats the whole purpose, turning multi-factor authentication back into single-factor again.)