“anyone who can get into your Apple ID account and either see your phone notifications or redirect an SMS message can delete all your passkeys”

Link. Is your passkey provider specified on initial connection to a site?