We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda sucked, so we ended up ripping it all out...
Bitwarden has a passkey service + a paid totp service, so I can always use either to log into whatever within two clicks. Yeah it’s less secure than a physical keychain but… Whatever, it’s better than passwords and as easy to use.
In any case, if you atore the backup codes in a place where you can lose them, that’s on you. Upload them into somewhere you control that has good privacy laws.