-
The fact of the matter is, that its not 2FA if there is only one secret to break to get in.
-
Online password manager should disable that function or atleast put it behind additional protection (an other password, like I proposed here: https://community.bitwarden.com/t/additional-encryption-for-items-protected-by-master-password-reprompt/58065 )
-
You and many other people are mistaken for what Passkeys are for. Passkeys are EITHER a) replacement for passwords (meaning that 2FA is still needed) OR b) a good 2FA (meaning that password is still needed). Passkeys are NOT something that eliminates 2FA / combines password+2FA into 1 thing!!! Then, well, it is NOT 2FA if its just 1FA (Passkey)!!!
So storing Passkeys in Bitwarden is OK if they are ONLY used to replace passwords…and additional 2FA is still used (like TOTP). If they are used to replace 2FA then its a bad idea, because the password is still needed and stored in Bitwarden anyway. If they are used to get rid of 2FA and just use 1FA then it is a terrible terrible terrible idea!
I only use Passkeys in forms of physical Yubikeys…This way they can never be hacked/downloaded from me nomatter what is the case…THIS IS THE WAY THEY SHOULD BE USED. Unfortunally many sites do not allow them to used as U2F but push to use them as Fido2 which is terrible in security perspective (because then usually you dont have 2FA but 1FA, the passkey). Only very, very few sites allow to use Fido2 as login and TOTP as 2FA…or password for login and Fido2 as 2FA.
Again, if the only thing needed to sign into service is Fido2 (passkey), than you do not have 2FA, you have 1FA. And that is against even basics of security.