I don't want to store passkeys in my password manager, the same way that I don't want my TOTPs to be stored in my password manager.
If my 1P/LastPass/BitWarden gets hacked/compromised/pwned by someone across the globe, they still can't compromise my critical services because they don't have my hardware token. I just have to rotate all of my passwords.
If you store everything in your password manager, you've just turned your 2FA/MFA into 1FA.
This is also why you shouldn't copy SSH private keys around, just because "it's easier to only have one fingerprint". Generate one private key per device. This is somewhat mitigated by `-sk` type keys, though. (SK SSH keys are still basically unusable because they are not recognised by a significant amount of versions of SSH, including the default MacOS SSH client).
The passkey security model is designed with the assumption of the passkey ties to a device. Using a password manager that's tied to a centralized service that's accessible from any web browser with an internet connection makes the security model different. It seems to me like a passkey on a password manager is no different than a username and password with NO 2FA security model.
The whole idea of Passkey is that the credentials are syncable. The main implementations of passkey are probably going to be Platforms (Google/Apple/Microsoft) and Password Managers. In both cases the credentials will be syncable and tied to a centralized service.
The main difference with passwords is that passkey are not phishable (since you never send them to the website you authenticate to)
Oh and for SSH, SSH CA and short lived SSH certificate is the only right way ^^ (I recommend Hashicorp Vault for this purpose. It also works for the host key)
If my 1P/LastPass/BitWarden gets hacked/compromised/pwned by someone across the globe, they still can't compromise my critical services because they don't have my hardware token. I just have to rotate all of my passwords.
If you store everything in your password manager, you've just turned your 2FA/MFA into 1FA.
This is also why you shouldn't copy SSH private keys around, just because "it's easier to only have one fingerprint". Generate one private key per device. This is somewhat mitigated by `-sk` type keys, though. (SK SSH keys are still basically unusable because they are not recognised by a significant amount of versions of SSH, including the default MacOS SSH client).