I wouldn’t be surprised if you’re right, but I think it’s not all bad to only use auth from big tech - I don’t know if I trust most small companies to implement uname/password auth correctly. Most users recycle passwords too so a leak is really bad.

I think the reason to only support big tech passkey auth is because users (at scale) can’t be trusted to keep track of their hardware keys.