Support passwordless passkey-only accounts

[devondragon]

Summary

Allow users to remove their password when they have at least one passkey registered, enabling passwordless passkey-only accounts.

Passkeys are inherently multi-factor (device possession + biometric/PIN), making them more secure than passwords alone. The industry standard (Google, Microsoft, Apple, GitHub) now supports passwordless passkey-only accounts.

Key Considerations

• Password removal API: New endpoint to clear a user's password, gated on having at least one registered passkey
• Last-credential protection: Already implemented — prevents deleting the final passkey when no password is set. This ensures passwordless users can't lock themselves out.
• Account recovery: Synced passkeys (iCloud Keychain, Google Password Manager) mitigate loss risk, but device-bound keys don't. Consider whether to require synced passkeys or offer backup codes.
• Passkey-only registration: Consider a registration flow that doesn't require a password at all — user registers with email, verifies, then enrolls a passkey as their sole credential.
• Auth method indicator: Expose whether a user has a password, passkeys, or both, so the UI can show appropriate options.

Current State

The WebAuthn/passkey infrastructure is fully implemented (JPA-backed repositories, credential management API, last-credential protection). This issue covers the gap: users currently cannot remove an existing password.