We had originally planned to go all-in on passkeys for ONCE/Campfire, and we built the early authentication system entirely around that. It was not a simple setup! Handling passkeys properly is surprisingly complicated on the backend, but we got it done. Unfortunately, the user experience kinda sucked, so we ended up ripping it all out...
You’re right if I get a virus I’m pretty cooked. Except I think to set 2fa up on the attacker’s device they’d need the phone authenticator to set it up the first time, so hopefully they couldn’t do it unless they used my computer remotely to login to websites.
But the password manager locks after 15 min and you have to put a pin in to unlock and decrypt.
I’m not sure what brute force mechanisms it has against the pin.
Re-entering the 2fa each session is annoying but it’s way better than having to do it on each individual site from my phone.