1. While a password manager should associate a TOTP seed with a domain and only fill codes on that domain, the codes are still visible to you. A convincing phishing attack might trick you into manually entering a code into a fake page. Passkeys don't allow this.
2. TOTP codes are derived from a seed shared between the client and server, so an attacker who gets read access to the server's database could generate your codes. With passkeys, the server can only validate a signature, not generate them.
Minecraft authentication requires a Microsoft account. People may not want to have one for ideological reasons, or not want to attach a game to the account they use for other purposes.
Also, not encouraging it, but disabling authentication allows players with pirated copies of MC to play on the server
https://sosmt.gov/wp-admin/admin-ajax.php?juwpfisadmin=false...
Linked from here if the above URL stops working: https://sosmt.gov/elections/ballot_issues/proposed-2026-ball...