Despite shortcomings, email + password was simple. One identity, one credential. One login surface (a username + password screen). for users, happy path was pretty simple. Login failure meant either your username or password was wrong. All login issues were resolved on one or two screens (including the reset flow).
Oauth brought more complexity needing to be remembered. Now failure could be a number of things: wrong user id, wrong password, selecting one of many oauth providers incorrectly, having login issues on one of those providers, etc. One of a dozen failures could occur across half a dozen screens without indication on which one needs correcting.
Webauthn adds two more dimensions: login device and hardware token. Users who have multiple devices (i.e. nearly everyone) need to remember which key was used and where it's stored. Every device implements the token negotiation slightly differently. Now users need to remember username, password, which hardware token, where the token is connected -- in addition to all the oauth and password decisions above. A half dozen more non-deterministic failure modes.
In the best case this may work well, but it's still 3-4 screens to log in in the happy path, and dozens of combinations of screens to restore a broken login.
In case you think this is academic, I've been locked out of two major websites where Passkeys were working properly on one device and suddenly stopped working altogether . I had no real recovery mode.
Are we making things better or worse? How do we manage this added complexity? Does it matter how cryptographically secure a tool is if it's impossible to use properly?