We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda sucked, so we ended up ripping it all out...
I mean you don’t have to authenticate your passkey with biometrics, you can use a password.
I guess I’m not really picking up on what the benefit is you’re going for. You already have a What You Have and a What You Know or What You Are, and you want a second What You Also Have thrown in there. I mean, I guess having that as an option couldn’t hurt. but I also don’t think it’s really necessary.