Totally agree. I have used fido2 and webauthn before and I liked it. Particularly with a hardware key the mental model is quite straightforward. Now with that Microsoft, Google and syncing business I am left totally confused. Why the hell should alI store a private key in some cloud?? What happens if that provider decides to terminate my account, if it gets pressured to release the key? Also how does this all work with Windows Hello and other things in between??? I know a bit of crypto and security protocola but the passkey concept and possible attack vectors totally escape me.