[ifh-hn]

What about offline stores passkeys? I've a keepasxc database. Just having the database isn't enough because you need the keyfile and my password to open it.

I get what they're saying but device bound keypasses are brittle. List device lost account. So you need multiple devices. Passkeys are just a bad solution to a valid problem.

[T3OU-736]

That is what I was thinking, too, but rather than the keyfile being an actual file, it is, instead, on the USB-C HW token. So, to decrypt your KeePassXC db, you'd need the physical token to do the decryption, and ask it to be, effectively, an HSM.

https://keepass.info/help/kb/yubikey.html talks of different ways of doing something like that, but I've not played with it yet.

Another option is just to store passkeys natively on the token itself?