Passkeys are built on the FIDO2 standard (CTAP2 + WebAuthn standards). They remove the shared secret, stop phishing at the source, and make credential-stuffing useless.
But adoption is still low, and interoperability between Apple, Google, and Microsoft isn’t seamless.
I broke down how passkeys work, their strengths, and what’s still missing
My company’s online product uses passkeys (I implemented it) more as a convenience method for login. 2FA is the base standard, and authenticated users can create a passkey for each device they want to use. Subsequent logins can then use the passkey or 2FA. Rather than having to dig out my phone, open the authenticator app, and put in the digits, I can simply use the fingerprint reader and I’m right in.
That doesn’t sound like a TOTP vs passkey situation though. It sounds like the program just releases the passkey when you give it the fingerprint. There wouldn’t be anything stopping the program from generating a OTP and passing that along when you identify with the fingerprint.
I think a big issue is how difficult it can seem to be to get easy access to TOTP codes, like in your example digging up your phone. But that’s more of a browser/operating system failure for not implementing a way to generate those codes like they can already store usernames and passwords.