Resident keys are good for SSH (I've done my part to make their use more accessible: https://bostik.iki.fi/aivoituksia/projects/yubikey-ssh.html), although the overall usability can still be improved. We are at an early stage of a new type of technology and people are still finding out what it can be even used for in realistic settings.
They are also good for enterprise deployments, where you can justify 2 (or 3) keys per user, and where you have a dedicated IT team to take care of account resets.
But resident keys for general website logins are a terrible idea. As other posters have already pointed out, the relevant security keys have a fixed number of key slots. Current best-of-breed hardware can store 25 resident keys. With only a small fraction of websites using WebAuthn, that limit is not an immediate concern - but considering the average user has about 100 online accounts[0], those slots will run out. Now consider that to have them be secure, the keys really can't be exportable. And in order to account for hardware failures and/or misplacements, you'd need a minimum of two such devices enrolled for each account.
The most depressing part of this all is that while passkeys are under the hood FIDO2 credentials, and their communication protocol is the same as with hardware devices, having a passkey support can indeed rule out physical devices. As the article points out, the transport specifier is different, and there is nothing that prevents an implementation to flat out reject anything other than "internal".
With Yubikeys there's also the option of using the GPG smart card functionality for SSH keys. It's quite a bit of a hassle client-side, but it's completely transparent to the server.
They are also good for enterprise deployments, where you can justify 2 (or 3) keys per user, and where you have a dedicated IT team to take care of account resets.
But resident keys for general website logins are a terrible idea. As other posters have already pointed out, the relevant security keys have a fixed number of key slots. Current best-of-breed hardware can store 25 resident keys. With only a small fraction of websites using WebAuthn, that limit is not an immediate concern - but considering the average user has about 100 online accounts[0], those slots will run out. Now consider that to have them be secure, the keys really can't be exportable. And in order to account for hardware failures and/or misplacements, you'd need a minimum of two such devices enrolled for each account.
The most depressing part of this all is that while passkeys are under the hood FIDO2 credentials, and their communication protocol is the same as with hardware devices, having a passkey support can indeed rule out physical devices. As the article points out, the transport specifier is different, and there is nothing that prevents an implementation to flat out reject anything other than "internal".
0: https://tech.co/password-managers/how-many-passwords-average...