RISK: To my knowledge, ff a vault is compromised, so are the passkeys.
CONTEXT: Password based credentials can be safer than passcodes should a vault be compromised where the user has employed a secret password suffix i.e. “something known” and added to complete the password string to keep credentials remain safe.
Passkeys are great technology but currently lack the equivalent of the password secret suffix to protect them in Bitwarden in the event of a vault compromise.
FEATURE REQUEST: Add an option which if enabled would require an additional symmetrical encryption password upon initial passkey storage. User solicitation of this additional password would become part of initial passkey storage and all future passkey transactions.
Enhancements would include: caching the symmetrical encryption password for the current Bitwarden session to minimize avoidable reentry; and, providing a means to change the symmetrical encryption password.