[jeroenhd]

Depending on your level of trust in Bitwarden and your security model, you could consider unlocking the Bitwarden vault with a security key, and then using Bitwarden's passkey support to authenticate to websites. It's not really 2FA, but it works around the resident key limitation.

There's also a nifty app that implements CTAP2 on Android Wear, and basically act like an NFC/Bluetooth security key. If you have an Android Wear and don't think your watch will be hacked and rooted, this could be a useful alternative, especially in places where Google doesn't sell their Titan keys.

[kemotep]

Ideally self hosted bitwarden (or a local only password manager such as keepassxc with passkey support) using a master password and a security key for the 2nd factor with all the accounts in your vault using passkey makes it so you need to know 1. the master password password, 2. have the security key, and also have 3. access to the vault.

The website being breached and the passkey public key being dumped is meaningless. They are more likely to compromise a site’s admin access that can get into user accounts than ever crack public key cryptography or simultaneously acquire all three factors necessary to gain access to my vault. And no matter what I do on my end (except only use sites that take security seriously) can stop that.