Best practice (which is probably rarely followed) is to let users add multiple passkeys to the same account. That said, the level of lock-in they achieved by not letting you export anything and syncing only to a certain ecosystem's cloud servers in all big vendor implementations is completely over the top.