Passkeys are more than good enough. Software keys are indistinguishable from hardware keys in the context of credential phishing. Both kinds of keys have the same weaknesses, too, e.g. OAuth phishing (keys do nothing) and DNS hijacking (keys degrade to the same security value as OTP).

Other threat models (malware, physical access) are a different story, of course.