David Sparks is frustrated by the slow adoption of passkeys. Me too. And he pointed out why sites hedging their bets and letting you set up both a password and passkey can be dangerous, which I hadn’t considered:

When a site offers both options, it creates a tempting target for bad actors. Imagine this: You try to log in with your shiny new passkey, and a fake prompt tells you it failed. Next thing you know, you’re asked to log in with your password instead. Guess what? You just handed over your credentials to the bad guys.

It works directly against the promise that passkeys are unphishable.