> it’s discouraged

Why do you say that? There are billions of synced passkeys being used by users with some of the largest sites and services in the world.

This is not correct. The default credential manager on all devices except for Windows, creates synced passkeys. And Windows will be changing soon.

> Because by default, they do, and you have to explicitly install software to let it be moved

Apple's native passkey implementation doesn't require doesn't require you to install extra software, and the passkeys sync by default. I thought Google's and Microsoft's were similar - but I haven't tried them.

> And even if you do, it’s discouraged

Really? Where is it discouraged? I thought synced passkeys are intended as the solution for consumers.

> the spec is allowed to deny you access

Yeah but I thought that's for enterprise use cases, not consumer. E.g. employers that want to enforce device type restrictions on their employees.