But if that "buddy account" is 'passworded' by the same passkey device?

Getting a new sim card with the same number is easy, you just go to your mobile provider with your ID card, and you're done in five minutes.

I mean still... the article mentions a "single point of failure" as a bad thing with other methods, but forgets about it here.

Until the passkey workflow goes sideways for "tech" people I don't think the risks will be acknowledged (if then even).

Those of us who don't want the let Google, Apple, or Microsoft manage our passkeys (i.e. pledging our fealty to our lords) will be seen as fringe lunatics.

I'll keep my workflow of always visiting sites by typing the URL myself, using a password manager, and TOTP 2FA w/ the secrets saved offline on paper. At least until I'm not allowed to do that anymore.

Same here, I don't like passkeys for many reasons. Another reason is that I can't see the key that I'm using. Therefore: What if Bitwarden doesn't pick up the passkey? Tough luck, I'm out of options. I cannot manually create a passkey entry in Bitwarden because it's all hidden magic. If I notice that the password manager doesn't pick up a registration then I just add it myself. Not possible with passkeys.

Luckily Bitwarden supports passkeys. And you can self host it. And even vaultwarden/bitwarden-rs supports passkeys

Easy if you're in the same country as the provider. Not so easy if you're on the other side of the planet.

Getting a SIM card is too easy, many millions have been lost to sim-jacking.

In most countries, not really.

Some countries have problems with people and IDs, like US, so that's a different story.