“I can just click this link that says “passkey access”, right?”

This isn’t to blame the people working on the specs, or even the tools. It’s just the emergent reality of the various actors all trying their best.

Hardware backed passkeys? Great security. Can’t be exported. Can’t be used without your device. Can’t be used without your device. Obviously this required that we create a solution where the passkeys could be used on another device besides the one you set it up on. Now passkeys can be exported.

Exportable passkeys are objectively still better than passwords or totp 2FA. But it’s also a marked downgrade from hardware bound keys, and in a way that seems pretty transparent to the user.