Because don't sites with passkeys generally still allow you to fall back to password, since it's common for people to lose their phone and then lose their passkey? Whereas sites with 2FA obviously don't, and have more complicated/secure recovery mechanisms?
So seems to me like 2FA (TOTP's) are currently vastly better in practice?
Hardware keys and passkeys are better because they can't be phished. In the case of hardware keys, one should register multiple to prevent lockout. Most implementations of passkeys seem to be portable, letting them exist on multiple devices (something that gives me pause).
If an adversary can successfully phish someone, they can often also trick them into providing TOTP codes or approving push notifications. However, TOTP remains significantly better than the alternatives, as it prevents credential stuffing attacks and SMS-related compromises while potentially limiting any account breach to a single session.
> Hardware keys and passkeys are better because they can't be phished.
I think you're missing the point I made -- that because of the way sites are currently set up, your password can be phished even if you have a passkey, and your password is good enough to get you in.
So given that that is the current state of things, isn't TOTP better because it prevents this? Because at least the TOTP won't let an adversary get in a second time.
Sorry, I overlooked part of your post earlier - I'm tired. As I previously alluded to, I don't use passkeys due to concerns about their implementation. Whether passkeys are better than TOTP really depends on the individual user's circumstances.
Which service is it? Do they ever use that password?
If I were used to signing in with a passkey, I'd find a password prompt suspicious. While the average person might not, it's also possible they would have forgotten the password entirely. There are other services that force TOTP even with hardware keys enrolled. Technically they can be phished, but it would not be successful in all cases.
Unfortunately, varying behavior and support for multifactor protocols (along with risky reset flows) makes it hard to give blanket recommendations.
Most sites that allow a passkey also require you setup 2FA with your password when enabling passkeys. Which, unless you also set up an alternative method like TOTP, would also be your passkey.
So ironically, your options would be your passkey, or your password+passkey/FIDO key (in 2FA mode).
How many places is generally irrelevant. If a system requires user to provide 2 factors to authenticate, it is 2FA. A password manager software itself should be no exception.
If the vault requires a hardware key and master password to access the encrypted password and token, would you still describe it as single-factor authentication?
But why would it be better to use passkeys?
Because don't sites with passkeys generally still allow you to fall back to password, since it's common for people to lose their phone and then lose their passkey? Whereas sites with 2FA obviously don't, and have more complicated/secure recovery mechanisms?
So seems to me like 2FA (TOTP's) are currently vastly better in practice?