Tried entering my email. Fail 1 - doesn't allow autofill.
Then tried signing in. "Enter the passcode that was sent to <email>." Fail 2 - no passcode was ever sent. (Yes, I tried the resend button multiple times, because I'm not a moron. Yes, I checked my spam folder, because I'm not a moron. I know the HN crowd would have taken great pleasure in explaining the obvious to me if I hadn't mentioned it.)
Even if that had worked, how is copying a code from unencrypted email supposed to be either easier or more secure than a password? Fail 3.
The demo in it's current state is built with a web component using shadow dom. Unfortunately, most browsers do not support autofill in shadow dom yet. A newer version using light dom will be available soon.
Email codes are just the fallback auth method in case no passkeys are supported on the device or the user has lost access to the passkeys. In real world scenarios, this may be secure enough, or fallback authentication could be disabled completely, or secured with Security Keys or other 2FA methods, depending on the use case.
The email and passcode is part of the site registration flow for this particular site (e.g. registration requires a verified email address). Other demo sites like webauthn.io do not attempt to add a 'real' registration flow.
My guess is that a demo app was pummeled a bit and fell behind on the email verification queue.
That aside, only the part where you register a new credential (e.g. the browser/OS modal dialog) in that registration process is using passkeys.
Then tried signing in. "Enter the passcode that was sent to <email>." Fail 2 - no passcode was ever sent. (Yes, I tried the resend button multiple times, because I'm not a moron. Yes, I checked my spam folder, because I'm not a moron. I know the HN crowd would have taken great pleasure in explaining the obvious to me if I hadn't mentioned it.)
Even if that had worked, how is copying a code from unencrypted email supposed to be either easier or more secure than a password? Fail 3.