It is hard to do well which is why I worry. Google probably has the best overall account security, you could fo worse than modeling after them.

The short answer to your question is Passkeys. But you need a whole system of account recovery around them.

I love Lemmy and Voyager and the Fediverse. That said, if it were to become mainstream I forsee some problems. The fact that the login relies on only passwords is pretty terrible. Also, this makes the service vulnerable to bots, sock puppet accounts, brigading, etc.