A passkey can also be a hardware device. Which can also be stolen. There are passkeys that require biometric input like a fingerprint though. In any case, there always needs to be an account recovery process should you lose a passkey and that's always the weakest link.

Simply sending notification emails when sensitive changes are made to your account are a great way to mitigate hack attempts as an intervention can be made quickly before the attacker is able to steal your account.