Compromised vault Passkey protection - add an optional "something known" to Passkeys

RISK: To my knowledge, ff a vault is compromised, so are the passkeys.

CONTEXT: Password based credentials can be safer than passcodes should a vault be compromised where the user has employed a secret password suffix i.e. “something known” and added to complete the password string to keep credentials remain safe.

Passkeys are great technology but currently lack the equivalent of the password secret suffix to protect them in Bitwarden in the event of a vault compromise.

FEATURE REQUEST: Add an option which if enabled would require an additional symmetrical encryption password upon initial passkey storage. User solicitation of this additional password would become part of initial passkey storage and all future passkey transactions.

Enhancements would include: caching the symmetrical encryption password for the current Bitwarden session to minimize avoidable reentry; and, providing a means to change the symmetrical encryption password.

This is basically what I asked for in “Feature request” in Additional encryption for items protected by Master Password Reprompt - #3 by mmja

Basically meaning, that all TOTP and Passkeys would be further encrypted (not just “protected”) by password…which be default could simply be Bitwarden password(+nonce stored there) but user could select other password(s) to further protect these vital components against compromise. And ofcourse anything else user sees fit, like credit card info etc.