Yes, of course this protocol can't somehow prevent sites from having a password (as a last ditch backup, or for any other reason) but it's intended to be used without passwords and, if you choose and have a more capable device, even without usernames.
Well, I hope you're right that passwords are essentially remnants of previous authentication schemes and not something implicitly required by this new scheme.
I could see us ending up in a world where we need a password to access the device on which the key is stored and more passwords for account recovery and access to key backups.
