Not sure where this post belongs, so feel free to redirect me if needed as my question seemingly can only be answered by Bitwarden employees. Anyway, I am curious why, when using passkey-based encryption, the vault key is encrypted with a public (presumably RSA) key; and the corresponding private key is encrypted with the output of the HMAC when it would appear to be as secure if like password-based encryption, the output of the HMAC was used as an AES key to encrypt the vault key.
According to FIDO2 CTAP 2.2, the HMAC secret is a random 32-byte key and the output is also 32 bytes which seemingly makes it fit perfectly with AES-256 similar to the 32-byte stretched master key that is used when password-based encryption is employed.
This seems to have no security disadvantages, but it has simplicity advantages in that it’s consistent with how password-based encryption is done and should make code simpler since there is no need to generate more keys.