Go read the FIDO threat model if you want to understand how it protects against specific attacks. It is pretty secure.

https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-security-ref-v2.0-id-20180227.html

It is hard to do well which is why I worry. Google probably has the best overall account security, you could fo worse than modeling after them.

The short answer to your question is Passkeys. But you need a whole system of account recovery around them.

I love Lemmy and Voyager and the Fediverse. That said, if it were to become mainstream I forsee some problems. The fact that the login relies on only passwords is pretty terrible. Also, this makes the service vulnerable to bots, sock puppet accounts, brigading, etc.