Need is a strong word.
2FA is a pretty good idea for some applications and needless hassle for others. I don’t need most of my accounts to have 2FA; I use a password manager with strong unique passwords, and for many accounts, having to make a new one would be an inconvenience rather than a tragedy.
Service providers might be motivated to force it on me if stolen accounts could cost them money, but most of them don’t need to; it’s just the most expedient move for them.
I’ve been resisting using them and decided to set one on my rarely-used and unimportant Piefed account to try it out.
Saved to Bitwarden fine on my desktop browser. When I try to log in with a browser on my phone, it asks for my username and does nothing more after that dialog closes. While I’m not sure if this is a problem with Piefed, Bitwarden, or Firefox, I’m now disinclined to try it with anything important, especially if that thing might then discourage me from logging in with a password.
I recognize the theoretical advantages, but passkeys don’t do much to solve problems I actually have. All my passwords look like #vVukh9c$3Kw4Cs8NP9xgazEuJ3JWE and are unique. Bitwarden won’t autofill the wrong domain. I don’t enter credentials in links from emails I didn’t trigger myself immediately before. I haven’t checked whether I can reliably backup and restore them in my Bitwarden vault.
If they can intercept my password despite TLS, they can probably also steal my session. I’ll grant that’s marginally less bad since the attacker would have to do their evil immediately if I log out when finished.
I’m going to disagree that passkeys really have multifactor authentication built in. The passkey is a single factor. If it is compromised (an attacker steals the private key), that’s all the attacker needs unless the service involved requires another factor like TOTP. The fact that it’s usually harder to steal the private key than a password doesn’t make it MFA.
I recognize the theoretical advantages, but my one attempt to use it (here, with Piefed) didn’t go so well, so I’m not eager to jump in with both feet.