Passkeys are phishing resistant, or so they say... but the web app still needs to let you in with password + 2FA... So I'm not sure how much that's really worth.
I guess if the users are typically never seeing a 2FA prompt then it should be more suspicious when they see one?
Passkeys are a replacement for passwords. Passwords don’t solve the problem of a lost password, and passkeys don’t solve the problem of a lost passkey. How a site deals with lost credentials is up to them. It doesn’t need to be password + 2FA.