This is a really common question but it has a really simple answer. They still have recovery methods. You can optionally change these with most providers (go into account settings, setup something like a recovery codes and check the option to be completely passwordless) but regardless they still have recovery methods. As in i lost my phone and i recovered the account with a combination of my secondary email and old password.

You might argue "but if they still have the recovery methods isn't my account only as secure as those" and to that i'd point out that you're still way ahead with passkeys simply by not entering passwords on a routine basis. The recovery methods tend to be two factor as well, just without passkeys as one of the two factors (hence email+password) so still a win over password alone in any case.

Passkeys should be thought of as no different to the old two factor authenticators. I mean that's literally what they are, essentially the latest fido standard that allows devices such as your phone to be a hardware security key in its own right. These always had ways to do account recovery with all the providers.

Using CTAP2, you can authenticate a passkey on any Windows laptop. macOS also has decent support (though not as seamless if you're not using an iPhone because of course it isn't). I personally do it when I need to boot Windows for something, using the Bitwarden app to expose passkey logins to my laptop.

Basically, when the system prompts to pick a key, click the "log in with phone" button, unlock your phone, and select the account/click "OK" to authenticate. The first time you do this, you need to scan a QR code to pair the phone to your computer, but after that you can use your phone whenever you need it.

Passkeys on Linux (and probably even more so on the more niche systems like the *BSDs) can use some love, especially when it comes to CTAP2. Chromebooks are probably the only Linux devices with native support for that.

If you want to safeguard against a fire, use a passkey provider that does exports (i.e. Bitwarden, KeepassXC) and then treat those exports the same as your password database file.

Should allow multiple passkeys. So you have one per device.

That introduces new friction to setting up a new device, which is worse than the case with passwords.

You can use the same passkey for multiple devices (for example with keepassxc as authenticator that handles them), but it reduces security same as for example with using ssh private key that's not unique per device.

And if you don't use the same passkey, then you have to create more passkeys.

You should be able to revoke needed passkeys then. I.e. let's say you lost device A. May be revoke access for associated passkey for all places where you used it, but the rest of them would remain OK. Not sure how sites handle that (if at all).

It works great with physical keys. Just need one as backup you leave at home.

And you need to register for every new service you create an account with.

It's also not a good idea to store the backup at home – house fires are unfortunately a thing, and chances are you might not have time to grab either your main or your backup key.