You omitted my favorite feature: virtually immune to phishing. You can't accidentally submit a passkey to a lookalike domain.

For phishing protection, passkey as a single factor is better than memorized password + TOTP/SMS two factor.