EU should have mandated a user-facing authentication scheme using a random string as the only authentication factor for everything. Pretty much like the API tokens for contemporary enterprise software, except that they would be used by ordinary people and not by application developers.

And complement it with hardware tokens for highly sensitive applications.

Passkeys could have been that, but they were quickly subverted by the industry.