Password and other factors are not going anywhere. You can set password, TOTP, email, phone and passkey at the same time. And use passkey because it's convenient. But use other combination of factors, if you need to access website without passkey. At least if website owner allows it. But I think that most websites will allow it.

Account recovery is a separate issue. There's nothing about a pass key that makes account recovery any harder or easier than if someone loses their MFA TOTP device or forgets their password.

You can (and are generally required to unless you purposefully use a "non-compliant" implementation that ignores it) set a PIN on your passkey.

> Passkeys are always going to be less secure than username + password + Webauthn

It's less secure in the same way that a door is less secure if you put a single strip of duct tape across that same door. Technically yes, but not in any meaningful sense.

If you can recover your account solely with your username and password, then what security does your Yubikey provide?