I'd think it's exactly the same as using a password manager. Yes in theory you could memorize 500 unique passwords or write them down, but no one is doing that.
There are a few things unique to passkeys though. You can register multiple passkeys for the same account so you could in theory have a physical USB key and cloud synced passkeys. Not many people would do this I would think though it would be easier than memorizing every password. There are also data portability specs in progress right now that let you export/import passkeys between services.
But at the end of the day I would suggest that it should be straight up illegal for a company to freeze your account without letting you export your data. It probably actually is by the GDPR. This problem also already exists for email too. If Google bans you, you'll find a lot of your accounts become unusable. Anything with email OTPs wont work, and some services like Discord won't allow updating your email without access to the existing one.
It can't be the same as my password manager if email password reset flows disappear. If I lose access to my password manager but not my email, then I can go through and systematically reset all of the accounts that I remember exist. What you're describing with passkeys, though, would not allow me to do that.
> But at the end of the day I would suggest that it should be straight up illegal for a company to freeze your account without letting you export your data.
This would be great but it only addresses the least likely failure mode out of the ones that I brought up.
And note that in many cases we're currently better off under the existing system if Gmail does ban you than we would be in your proposed world: only services that send OTPs on every login would be immediately inaccessibile, so you'll have time for most services to log in and switch to a new email address.
I think for most services you'd still be able to email reset your passkeys unless it's a particularly sensitive service, the kind which don't allow email resets of your 2FA tokens today.
A password/passkey reset flow is semantically equivalent to an alternative login method and if done via email is semantically equivalent to a magic link.
Which means that any service that claims to be passkey-only but supports email resets should just acknowledge that they support both magic links and passkeys as options—they're kidding themselves and their users if they pretend otherwise.
Passkeys are at least more convenient than magic links as they do not require opening an email or pulling your phone out for an SMS code. You're right though that they Passkeys + email reset is no more secure than email magic links, but I'd say email magic links are perfectly secure for most use cases. There really is no reason to continue using passwords these days and every website should switch to either magic links, Email OTP, or passkeys.
For more sensitive accounts like bank accounts and government services. You'd probably have to go through some other reset process involving real ID and possibly an in person visit to a support location.
If your passkey manager account gets frozen the clients on all your devices should still have local copies of the passkey database that you could continue to use until you have a chance to export and migrate to another passkey manager.
There are a few things unique to passkeys though. You can register multiple passkeys for the same account so you could in theory have a physical USB key and cloud synced passkeys. Not many people would do this I would think though it would be easier than memorizing every password. There are also data portability specs in progress right now that let you export/import passkeys between services.
But at the end of the day I would suggest that it should be straight up illegal for a company to freeze your account without letting you export your data. It probably actually is by the GDPR. This problem also already exists for email too. If Google bans you, you'll find a lot of your accounts become unusable. Anything with email OTPs wont work, and some services like Discord won't allow updating your email without access to the existing one.