@bwuser10000 It is up to the Relying Party (the website that you are logging in to) to specify that User Verification for passkeys should be either required, preferred, or discouraged. In a Reddit thread on the topic of the onerous master password requirement, Bitwarden employee /u/bwmicah (@Micah_Edelblut ??) seemed to pass the blame to the Relying Parties — which I feel is a bit of a cop-out, frankly. While the FIDO standards absolutely mandate that an Authenticator (like Bitwarden) perform “some form of user verification” when the Relying Party has specified that User Verification is required, there is nothing in the FIDO or CTAP specs that requires the User Verification to be in the form of a master password (or that it must match the vault unlock method).
In fact, it seems that using the master password or vault unlock PIN for User Verification can lead to noncompliance with the FIDO/CTAP specifications, as explained in Points #3 and #4 of this GitHub Issue:
If you have a Yubikey, I think that is a good model for how the User Verification works when compliant with the standards: each time that you need to authenticate using a passkey stored on the Yubikey, you will need to input your Yubikey PIN (if the Relying Party is requiring User Verification) — and if you enter the wrong PIN too many times (>8), then the PIN will stop working. If Bitwarden wants to be compliant with the standards, they will ultimately have to implement something analogous. However, as I’ve explained in the Feature Request thread, I don’t think they will be able to get there as long as they use the paradigm of making the User Verification method match the vault unlock method.
Anybody reading this who is bothered by the new User Verification requirement — if you have any votes left to give, please vote in this Feature Request thread: