Account security in core still relies solely on a username and password combination which in 2026 is a very weak way to secure accounts. Adding the ability for users to include a Passkey to their account means that they would then be required to use a device they physically own to be able to login to their account.

There should be a basic implementation in core to let people set up a Passkey on their account so users have a choice as to whether they want to use this or not. A beta/preview extension could explore ways of enabling this under certain circumstances (such as any user with a_* or m_* permissions) but realistically the option just needs to exist right now so people can choose if they want to use them or not.

I don't know if this is maybe too big for 3.3 but it certainly needs to be in 4.0.