Correct me if I'm wrong but isn't it fair to say that passkeys secured on your phone are more secure than 1FA (password) but less secure than "traditional" 2FA?

   Passkey 2FA: unlock your phone and the passkey on your phone can log you in.

   Traditional 2FA: remember a password AND unlock your phone (where your TOTP is stored) and you can login

If I were to rate all 3 methods on a scale of 1 to 10, for convenience and security, I'd say:

     Method       Convenience   Security       

  Password only:      4/10        2/10

  Passkey 2FA:        9/10        8/10

  Traditional 2FA:    6/10        9/10

Fair?

No, if you break into a site using passkeys, it gives you literally zero information that can be used to authenticate as any of the users. Think about the prevalence of data breaches in the past decade, and the sharp rise in the effectiveness of password stuffing, and think about why this change might be a good idea.

Also even with traditional 2FA, TOTP can be phished. See https://github.com/kgretzky/evilginx2

WebAuthn almost entirely eliminates phishing risk (at least with respect to credential harvesting), and Passkeys are a really nice, clean UX for using WebAuthn.