Honest question: isn't that introducing some weaknesses, allowing the attacker to either reactivate password auth or add it's own passkey eh by tricking the user in accepting that change after receiving a mail with a link to accept that change?
That would make the passkey unbreakable, but leave other easier to exploit weaknesses.