[aniforprez]

Passkeys are not the same as biometrics. Passkeys are generated and stored locally but do not have to be generated or stored on your device. Password managers are already moving towards supporting storing your passkeys. While you could store passkeys in your Yubikey, the ideal scenario would be your Yubikey is your authentication mechanism for your device or password manager and disconnecting your yubikey will lock down your device and password manager. This way, the attacker needs your Yubikey and your device for gaining access. If you set a pin on your Yubikey when you connect it to a device, that would probably increase the security. Personally, I am eyeing something similar to the fingerprint scanning Yubikeys for my own purposes. But until then, using biometrics on my systems is sufficient. 1Password is also moving to passwordless passkey access at which point my flow would be

1. Unlock my device with a pin/fingerprint/face unlock

2. Unlock 1Password with this same mechanism

3. Unlock access to a passkey supported website/app using 1Password which will store my passkey for that website/app

Through all of this, an attacker would have to have access to my device and my device authentication mechanism for gaining access which still counts as 2 factor