Edit: Below is a bit of a rant, but I do want to thank you for the article. It's a nice explainer, and honestly passkeys with biometrics + pin are probably secure enough for most people anyways.
"In contrast, passkeys provide a more secure and simplified solution by removing the need to manage or store multiple credentials."
Well, not true. Each website gets its own passkey. The user just doesn't have to manage it.
The "What happens if I lose my device?" forgot to answer the important question - how to recover. Or more broadly, how to use multiple devices. Presumably the keys would need to be synced across devices.
The fact that passkeys requires biometrics - a known insecure way of logging into devices - is unfortunate. A pin helps the situation, but if it's intended to compensate for the known weaknesses of biometrics, it is inadequate. I don't know why people think that fingerprints, which you leave everywhere, or your face, which is in public everywhere, are good ideas for logins. They are usernames at best, not "passwords". Somewhat difficult to fake, sure, but it can be done, especially since the underlying technology doesn't capture your biometrics in full detail. Not to mention the fact that you can't really change them once they get compromised, at least not without surgery. That's a problem if malware gets on your device and can swipe the database. Sure, it's encrypted, but if that malware can swipe the database it can probably intercept your pin, too. To be fair, malware would crack anything, but at least you can change passwords after the fact, not so with bio.
Passkeys with a master passphrase - now that I could get behind.
Two-factor authentication is fairly annoying these days. It often assumes that a mobile device is the correct second device to authenticate to (not true if you are logging in from the mobile device in the first place), that you have two devices or a (smart)phone (there's a subtle wealth assumption being made, which is fine for most people in the States but not all, and perhaps quite a leap for the developing world), if it's sent over SMS (bad idea since it is unencrypted) then it assumes you have cell service where you have internet, and worst of all many sites don't give you choices in how you would want two-factor to be used.
A good two-factor solution is an app that works single-device for those without two devices (you can't have 2FA if you only have 1 device, just a weakness that has to be accepted), but can be configured to be multi-device (so not just a mobile app, it needs to be desktop, Mac, Linux, etc) and with an integration into whatever login system you are using (maybe it is also your password manager) so that it can guarantee that the second factor goes to a second device. If you login on mobile and get your 2FA there, you didn't really get 2FA. And the app shouldn't require or need your phone number. It irks me when apps claim to be private and then turn around and demand you hand over your PII. An email you can more easily create in an anonymous way.