As opposed to username/password, where... An attacker that controls the email address can log right in.
Unless you mean to say I should set up 2FA for my CSS theme variable helper website?
Passkeys and OAuth/social login are great, but everyone has an email. And I don't think any mainstream site supports only passkey as an auth method (and no other way).
"Passkeys and OAuth/social login are great, but everyone has an email"
big tech is only allowing Social login from another big tech anyway, they use whitelist and banning everyone that dont use that because they cant guarantee untrusted "third party"
"Everyone has an email" is like "everyone has a phone number": wrong and bad. At least email addresses aren't difficult to get...