It's possible to use Tailscale with just a passkey [0], but it's a weird process because they don't let you create a tailnet and a passkey account at the same time. Instead, you need to create an account with a throwaway FAANG credential and send yourself an invite to that account's tailnet, and then use that invite to create a passkey-linked Tailscale account. This account can then create its own tailnet, at which point the original tailnet (and the throwaway FAANG account) can be discarded.
It's a weird process and not particularly user friendly (passkey accounts are tied to a specific passkey and can't have additional ones added, so you need to create a new account if you, say, migrate from one hardware key to another). Hopefully they improve the process before passkey support goes out of beta.
I feel like maybe they should allow adding SSH keys as a login method instead of passkeys.
Though I suppose there is the potential problem of identitiy collision due to public key resuse unless the keys were generated serverside to guarantee uniqueness.
It's a weird process and not particularly user friendly (passkey accounts are tied to a specific passkey and can't have additional ones added, so you need to create a new account if you, say, migrate from one hardware key to another). Hopefully they improve the process before passkey support goes out of beta.
[0] https://tailscale.com/kb/1269/passkeys