Let’s start with a smartphone. A user creates an account with a passkey for a service, that passkey gets stored on their smartphone, and they can use biometrics to sign in from then on. The private key is stored on the smartphone. Great.
But then how do you sign into that same service from a different device?
If it’s by using a password manager, some third party piece of software, How do you sign in on a device where you’re not allowed to install third party software?
If 1Password becomes annoying, you might want to consider Bitwarden, which, if worst comes to worst, you can host yourself. Unlike Keepass you don’t need to manually sync a password blob. However, that also means that if Bitwarden’s/your server is down, synchronising will be impossible.
We’re in the process of adopting BitWarden at my job. I’m liking it so far. Not enough to convince my family to switch (yet), but enough that I wouldn’t hesitate to jump over there if I needed to.