>>caust1+(OP)
Credential stuffing would be a much less effective strategy is web apps went back to string-based usernames, and not email-based ones.
Also, I hit CTRL-F on this post for the term "portable", and I got zero hits. Both passwords and SSH keys are trivially portable. Not so much with WebAuthn passkeys.
>>jgalt2+dw1
Hopefully it shouldn't take much to get there. Bitwarden/Vaultwarden already allows exporting the private key and (as far as I can tell) all other metadata required by another implementation to import them.