tl;dr: passkeys, as proposed now, will fill up existing fido2/webauthn authenticators if the feature becomes widespread enough. this is because the feature of “passkeys” actually refer to resident keys, which most authenticators today can only store a limited amount of (some, none at all!). preventing this will require changes to either webauth, fido, or passkey libraries.
It seems like if your hardware can’t hold all your passkeys you could just store one for your password manager and then the rest of the passkeys that didn’t fit can come from the password manager. Or I barely understand how this stuff works and that’s not feasible? I haven’t used passkeys yet and my first yubikeys arrive tomorrow.
I think both passkeys and security keys rely on the hardware being one of your multiple factors. This is what keeps a remote hacker who stole some website’s password database from using the stolen passwords to log in–they don’t have your physical hardware.
You can’t store the passkey in your password manager because your password manager isn’t hardware.
You could store the passkeys in your laptop’s (or phone’s, etc.) hardware, and in fact that’s how passkeys are intended to work.
Disclaimer: I barely understand this stuff and welcome corrections/elaborations.
I believe password managers are getting the ability to store passkeys, bitwarden is rolling it out as a new feature soon. Here’s their announcement: https://bitwarden.com/blog/what-are-passkeys-and-passkey-login/
1Password also: https://www.future.1password.com/passkeys/
Interesting! I wonder if they’re actually storing the keys in the cloud or if they’re just using Bitwarden as a way to sync keys between hardware.
In any case, it seems like your original suggestion is a good one. Thanks for the info!