It is worth noting that 1Password has now rolled out PassKey support (they might have to change their name one day). Prior to macOS Sanoma, it would only work in Chrome-based browsers (don't know about Firefox), but now it works in Safari and also works on iOS 17 (I have not tried it in apps, but it does work in Safari and third-party browsers like Brave). I do like a third-party like 1Password because it is cross-platform. There are ways of using an Apple PassKey on Windows by scanning a QR code with your iPhone, but it is not as elegant. Maybe Apple will bring PassKey support to its Windows iCloud Password Manager app. Most sites also allow multiple PassKeys as well, so you can use Apple PassKeys on Apple devices and use Windows Hello on Windows. I believe other password managers like Bitwarden are rolling out PassKey support as well.
The issue at the moment is that a lot of websites still require a username and password and request the security key at the same point they would normally ask for a 2FA code. There are a few that allow you to skip the username and password step completely, like GitHub. My understanding is that eventually we will get rid of usernames and passwords completely, but for the moment they have them as backups. Microsoft accounts do offer passwordless, through Windows Hello, but on Safari you have to do it through the Microsoft Authenticator app. I don't think people should worry about losing their devices, PassKeys are stored in Keychain and synced to Apple servers. Same with Microsoft, Google, and 1Password.
A few other sites that seem to support PassKeys (passwordless (has a password but can skip)):
- GitHub (passwordless)
- Brave Community
- Microsoft (passwordless - might require Microsoft Authenticator app)
- Google (passwordless - need to click Try Another Way on the password screen)
- eBay (passwordless)
- Simplelogin
- Nintendo (passwordless)
- Nvidia (passwordless - select log in with security device)
- Proton
- OnlineScoutManager (passwordless)
- Bitbucket (a bit strange - An Atlassian account only has 2FA and a Bitbucket account has PassKeys but you need an Atlassian account for Bitbucket)
- GitLab
- Roblox
Nintendo, GitHub, and eBay are probably the most seamless in my experience. 1Password and Apple accounts only seem to support hardware keys, which I guess makes sense, preventing people from storing their Apple ID private key in their iCloud Keychain is probably a good idea, although Microsoft and Google both support PassKeys, so who knows?