[xyzzy123]

Yep, I agree good outcomes are possible and an e2e sync'd passkey should have better privacy properties than a federated login.

It's a nuanced discussion because in practice today, email provider is regarded as ultimate source of truth regarding identity, except for high security domains e.g. where money is involved (banks, crypto) and it's economically viable for recovery to be high touch.

So having access to a user's email is the first "golden key".

Second is OIDC / social logins.

Third would be passkeys / stored passwords / an unlocked device.

My guess about the future is that OIDC / social login will prove to scale and grow better than direct passkeys in most instances. It's a better, more fully developed model for thinking about and managing identity lifecycle, passkeys themselves are a low level primitive by comparison.

Users will understand it (social login) better, providers will support it better (partly because corporates don't have any way to centrally manage passkeys at scale, nor should they) and finally because of the fallback / recovery problem for sites using passkeys.