You are right, the Microsoft Authenticator App along with the Google Authenticator app are based on rolling TOTP codes. If the device is stolen, the malicious actor can access those codes, assuming that they can get into the device and it is not wiped remotely. TOTP solutions are not passkey, and they are really not that secure. Passkey is based on the FIDO2 standard which uses public/private key encryption between the client and the server. If the server gets hacked, there is nothing to steal but a bunch of public keys, which would take about 4 trillion years given today's fastest supercomputers to reverse to the private key. Passkey on the other hand stores the private key in the device keychain, which can be deleted from another device remotely, but also requires biometric authentication to access, something presumably the their would not have.