For passkeys in particular, this theory would be more credible if it wasn't for the fact pretty much every password manager has planned support for them, and almost all of those same managers have been integrated with your browser's password manager APIs and the OS's secure auth mechanism. 1Password will use Face ID or Windows Hello Pin to unlock your vault, and then it will offer up the passkey credential, just like it does with your completely randomly generated password, today, the difference being you can't phish them or recover them from hacking websites. Like this theory just doesn't work as well when we basically have years of evidence suggesting the exact opposite thing, which is that both major browser vendors and password managers are interested in cooperation in order to achieve better user experience and security.
Plus the idea is predicated on the idea you can't just register another device. Passkeys, as a user auth model, pretty much require the ability for multiple devices to be tied to one account. Google has your passkey for site X? Log in, register a new passkey with 1Password, delete your old passkey. Done.
Sure, for now. If it ever reaches wide adoption, when Google/MS/Apple see only 2% of users use a 3rd party to store keys, why would they continue to maintain the ability to integrate? Especially if there's some advantage (lock in) to not doing so.
Multiple devices/key stores that don't sync are dead before they even get started. Almost no users are going to be willing to do that, and thus most websites won't bother to support it. How many websites today offer the ability to have multiple OTP options concurrently and/or allow you to only enable TOTP and disable email/SMS?
This will start out open and flexible to gain adoption, and then either through malice, laziness, or low adoption, the options that avoid lock in will be phased out.
It doesn't matter how many different things have support for passkeys. Because they let websites do "attestation" of them, it won't be long until every major website is only allowing logins with passkeys blessed by Microsoft, Apple, or Google.
I'm not familiar with all this, but when I run the demo page (https://webauthn.lubu.ch/_test/client.html) on macOS 13.4.1 with Safari (Firefox doesn't work) I get "none" for the apple attestation.
Plus the idea is predicated on the idea you can't just register another device. Passkeys, as a user auth model, pretty much require the ability for multiple devices to be tied to one account. Google has your passkey for site X? Log in, register a new passkey with 1Password, delete your old passkey. Done.