It can't be the same as my password manager if email password reset flows disappear. If I lose access to my password manager but not my email, then I can go through and systematically reset all of the accounts that I remember exist. What you're describing with passkeys, though, would not allow me to do that.
> But at the end of the day I would suggest that it should be straight up illegal for a company to freeze your account without letting you export your data.
This would be great but it only addresses the least likely failure mode out of the ones that I brought up.
And note that in many cases we're currently better off under the existing system if Gmail does ban you than we would be in your proposed world: only services that send OTPs on every login would be immediately inaccessibile, so you'll have time for most services to log in and switch to a new email address.
I think for most services you'd still be able to email reset your passkeys unless it's a particularly sensitive service, the kind which don't allow email resets of your 2FA tokens today.
A password/passkey reset flow is semantically equivalent to an alternative login method and if done via email is semantically equivalent to a magic link.
Which means that any service that claims to be passkey-only but supports email resets should just acknowledge that they support both magic links and passkeys as options—they're kidding themselves and their users if they pretend otherwise.
Passkeys are at least more convenient than magic links as they do not require opening an email or pulling your phone out for an SMS code. You're right though that they Passkeys + email reset is no more secure than email magic links, but I'd say email magic links are perfectly secure for most use cases. There really is no reason to continue using passwords these days and every website should switch to either magic links, Email OTP, or passkeys.
For more sensitive accounts like bank accounts and government services. You'd probably have to go through some other reset process involving real ID and possibly an in person visit to a support location.
> But at the end of the day I would suggest that it should be straight up illegal for a company to freeze your account without letting you export your data.
This would be great but it only addresses the least likely failure mode out of the ones that I brought up.
And note that in many cases we're currently better off under the existing system if Gmail does ban you than we would be in your proposed world: only services that send OTPs on every login would be immediately inaccessibile, so you'll have time for most services to log in and switch to a new email address.