[sebk]

Passkeys are not quite passwords even if backed by software and stored in the same memory space as other applications running on the OS. They're still asymmetric, cryptographically secure, and domain-bound. It's true that being "just a file on your hard drive" changes the threat model as compared to a hardware security key, but that file is wrapped at rest, potentially with a hardware security key as well.

Whether it's a downgrade or not depends on your specific threat model, and whether it's a downgrade for you or for the userbase at large.

[manquer]

All of that encryption at rest applies to any password manager too.

In comparison with a password manger managed password +2FA , just software passkeys are a downgrade.

Whether it is acceptable downgrade can depend on your threat model, the fact that it downgrade or not is not

[sebk]

Please read the comment again, because that wasn't the argument I was making.

I'll restate in case I wasn't clear -- the fact that it's wrapped addresses the "just a file"; meaning it's not sufficient to attack the filesystem to steal it, just like a password manager vault is.

As for how it's not a downgrade (or upgrade, mind you), it's domain-bound using standard browser APIs, meaning it's less likely than the comparable autofill used by a password manager to not leak passwords to the wrong site (LastPass suffered this issue in the past, for example). It prevents reuse across sites, it's not vulnerable to a man-in-the-middle in the same way a password or TOTP secret is, and guarantees strong assymetric crypto as opposed to whatever a server decides to do with a password and a secret. Additionally, and especially when compared to password managers, most of them now offer to also store and autofill TOTP secrets leaving us in the same spot were at with virtual authenticator backed passkeys, but with worse cryptography.