I helped implement support for passkeys in a banking product. They obviate so many attack vectors and adoption is high enough that it should be a requirement to at least support them.

We already require TOTP-based 2FA, and have even implemented secure TOTP via our mobile apps. Customers still do not understand 2FA and probably never will; we regularly have customers request 2FA resets after using their 10 backup codes. SMS- or email-based 2FA is a no-go.

We don't require hardware attestation, as that is the recommendation of the FIDO alliance and Google/Apple/Microsoft. It doesn't make sense to cut out iCloud/Google-synced passkeys given the clear security benefits over passwords+2FA.

Keep in mind that for our service, we regularly see attackers set up copycat sites to phish user credentials, and pay for Google Search ads to appear before our site in search results. These phishing attempts are sophisticated and customers will send their 2FA codes through them. _This is impossible with passkeys._