It’s one thing to not implement user verification; that’s a totally valid position to take if Bitwarden wants to do that. But if you do so, YOU MUST return uv=false in the attestation.
Lying about doing user verification (by always returning true in the attestation) will just lead to Bitwarden’s AAGUID being banned on all major services and enterprise systems. Seeing Bitwarden take a cavalier approach to security to reduce user friction is disappointing.
Ideally, passkeys that require UV should be stored encrypted with an intermediary key that is derived from a UV PIN (set separately than the vault master password or unlock PIN).
Yes, it increases user friction. However, if a service requires user verification, then INFORM THE USER why they are asked to provide a PIN, and do UV according to the spec (with the maximum 30 second timeout imposed by CTAP 2.1).