You can do that without an extension. There’s a bunch of different protocols that let you, for example, use your phone as the authenticator.
You can log in with your phone on a computer you’ve never used before by scanning a QR code and credentials never leave your device.

My passkeys are tied to my phone, which I use via the browser and OS. I keep them in my password manager running on the phone. My password manager supports the open spec for securely migrating credentials between vendors.

It may be difficult to believe but they want you to use them because they’re legitimately significantly better.

Users are silly. They blame Microsoft for bad passwords. They blame Google for forgotten passwords. They blame Facebook when they click on a phishing link. They blame apple when apple “lets” someone who they gave their password to see their pictures. They blame apple when they don’t let the user in just because they forgot their password and every recovery mechanism.

Everyone involved has a significant issue with passwords because they cost them user satisfaction, credibility, or money directly. The reason cross vendor transfer has been slow is because everyone wants to be the leader, since if everyone follows your lead you get to make it work better with your stuff.

That ones because users like choice. They need to look up who you are to know how you’ve chosen to authenticate. At least, that’s how it started. Some could be doing it because the big kids are, but that’s why the big kids do.
And they support choice because businesses want to use their login infrastructure and refuse to share. So you enter “user@businessOrUniversity.com.edu” and it forwards you to your institutional login.

They inevitably didn’t write it for that reason. They wrote it to say the field is invalid until the user changes it to be valid after someone landed on the page holding the enter key down and instantly locked themselves out after submitting the form 50 times in 3 seconds.
Unless you know otherwise, it’s easy to think that “form interaction” is the same as “form changed”, and one of those is much easier to check.

I’m unsure what you mean about passkeys. I don’t think I’ve heard anyone mention significant concessions to os makers and I’m pretty tuned in on the topic.

Depends on the system. The thing where your password manager is managing your passkeys? That’s a single factor unless it’s doing something tricky that none of them do.
When it’s the tpm or a Bluetooth connection to your phone? That’s actually two factors, and great.

That’s not what that research document says. Pretty early on it talks about rote mechanical processes with no human input. By the logic they employ there’s no difference between LLM code and a photographer using Photoshop.