We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda sucked, so we ended up ripping it all out...
Passkeys are only good if they aren’t in a online password manager. They are better than TOTP 2FA in terms of security and phishing resistance. I see 2FA as a last resort when someone even gets into my password manager. Storing passkeys completely make this useless, as I’m sure anyone that can log into my accounts would’ve done so by getting a hold of my unencrypted password manager database. Unless android provides a real offline way of storing passkeys in the device, I am not interested alot.
Actual zero knowledge encrypted password managers with 2FA?
Keepass?
Or Bitwarden (supposedly)
Bitwarden is an online password manager and no I don’t consider self hosting it offline.
A sufficiently strong password and additional TOTP should protect you well enough.