This is wrong and risky at so many levels, not sure if using the big tech name here was a clickbait in the first place
1. Not all employees have access to account and user data in any medium+ size company
2. What one does in their own time is personal business but what one does in their own time on company IP is not personal anymore. The person might even get fired, the karma point or couple hundred are not worth the risk.
3. This just creates a channel to identify the weak links in human chain for phishing attacks
Ironically instagram was not even in the list for selection for the form
Passkeys are one of the non-phishable means for authentication. If something is easy to recover for user then its same for a malicious actor. Some platform based passkeys (apple, google) are actually sync-able across the devices. The whole Passkeys concept is under debate and discussion for what it means for different types of WebAuthn authenticators when it comes to the ability to sync the credentials. Alternatively one can use security keys which they can keep with themselves and could protect themselves by enrolling one additional security key for recovery purposes that they can keep away. Regardless the whole idea is to have more than one MFA factors enrolled so that one is not get locked out. Ease of using WebAuthn/ Passkeys overweighs typing in password, SMS, TOTP codes and has big savings for big players to avoid phishing attacks. It might not be suitable for every use case but worth using for some.