TBH, I don't get how "normal" users without a roaming authenticator are going to do this.

Let's say I'm a layman person, nothing fancy, my password is my cat's birthday and I have a home desktop PC for gaming and laptop for my work. My desktop Windows computer can authenticate to a website, and is currently have it open and me logged in as "Alice". Now, I want to access the site from my Mac laptop. I go to the website, but I assume that to add an additional passkey to account "Alice" I must somehow authenticate.

I cannot do this on my laptop - only my desktop has a valid passkey so far. Let's assume it's not removable, and I don't have any fancy password manager that syncs across my computers - again, our Alice is completely non-technical. So we must either: a) somehow create a passkey on laptop, transfer its public key to desktop, register it there, then be able to log in from the laptop; or b) initialize login flow on laptop, but transfer the request to desktop, make it generate a valid authentication response, transfer it back to laptop, get logged in, then proceed with registering a new passkey. Are we going to have fun with waving laptop camera, or there's some BLE protocol, or we're ditching all our fancy cryptography-protected authenticators and going straight for access recovery aka "code over email/sms" lowest-common-denominator? (Which possibly implies spam^W contact methods are mandatory?)

All the demos I've found online seem to completely disregard this aspect, they just show me "start over" after I log in with the first device, and I haven't found any showcase of how can I enroll a second device. Their FAQs sorta imply I'm either all-Apple or all-Google or all-Microsoft person because all they say is that software providers will sync keys across devices. Which - I hope to be wrong - but I find unlikely.

> or we're ditching all our fancy cryptography-protected authenticators and going straight for access recovery aka "code over email/sms" lowest-common-denominator

Well yeah, every single online account you have uses email address as the account recovery mechanism. That isn't going to change.

> every single online account you have uses email address

No, not every single one. This is provably false.

I can prove it right on this very website, where we all have usernames, rather than email addresses. Going over my password manager, while the majority of records has an email address for a credential, a fair share of records has usernames instead.

But what if I want to be able to use the same account, but I don't want other people to be able to use my account?

That has nothing to do with anything. Think of this as a password, except the password is autogenerated and stored on the device itself. And you can have multiple passwords for the same account.

Who is allowed to add an additional password and how are they authenticated? The answer has to be simple enough for me to understand if I'm to consider using passkeys.

All that is up to the website to decide. This protocol is only for user authentication between the browser and a website.

The authentication scheme it seeks to replace has an answer for this. Sounds like a drawback.