I'm a fan of passkeys because I don't have to store sensitive info. It's just a public key and I don't need identifiable info from the user. That's a super nice option for some niche low stakes software.

Unfortunately that breaks down when someone doesn't set multiple keys as backup and gets locked out. Then you're right back to password/backup code or some kind of recovery to email or phone. Chances are people just store their backup codes as plain text too. They also break down across desktop/mobile, e.g. register on desktop then try to log in on mobile. Not everyone has a good sync solution here, especially the non technical.

Honestly all the solutions have trade offs in UX/security/privacy and dependency on third party services. The best solution is going to be highly dependent on the business.

I have 3 laptops, a PC and a PC at work and 2 phones. Passkeys still confuse me and I'm not 60 yet.