Switching FIDO devices will seem to be a problem down the road like account recovery and a potential attack vector. Kicking the can down the road in a sense if mitigation measures are not taken from now.
They replaced passwords with FIDO/WebAuthn devices not added WebAuthn 2FA.
So iff they use WebAuthn `authenticatorAttachment: "platform"` this will use TPM, TouchId and similar and should have very similar security as using a password + password manager (which you unlock by TouchId or similar). I.e. for the "common" user I would expect it to be the same security aspects minus the password manager being an additional attack surface. For users which 2FA secure they password manager or similar it's a different matter but thats not the common user.
Similar as it's not 2FA you can have mostly the same auth reset workflows as with passwords (through with more requirements for things to happen on the same device which for most common users don't matter too much).
I also amuse it uses "platform" and not "cross-platform" as there are just to few people which have a HSK (like a Yubikey) and also their attack surface is different, e.g. if you make a HSK the main auth criterion you should still add a PIN, or have a HSK with a fingerprint scanner or similar.
