Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
It seems like the idea behind having the passkeys synced through cloud platforms is to mitigate the device failure risk as much as possible, as any device logged into the cloud account could be used to access the passkey protected accounts. It seems a little short-sighted as it means that the passkeys are limited to AAL2 (as AAL3 requires it to be non-exportable), and depends on the security of the cloud account. The cloud account can’t use anything as secure as a passkey, as it would reintroduce the device failure risk (meaning that your security has been downgraded from AAL3 to AAL2 for no reason).
It should also be noted that if the cloud account is not phishing-resistant (which it can’t be for reasons stated above), then the accounts protected by passkeys aren’t phishing resistant either, as the cloud account could be phished, which would lead to a compromise of the other accounts.
At AAL2 you could also just use a password and OTP, which doesn’t have the vendor lock-in problems with cloud synced passkeys and has a wider adoption already.
In my opinion there is no need for cloud syncing, as device failure risk is negligible if you have a backup security key (as the failure rate of a single security key is already extremely low).