Do passkeys allow an attacker to gain account access by accessing a single device?
Some companies such as Github suggest passkeys replace both passwords and 2FA:
passkeys satisfy both password and 2FA requirements
Github thus allows logging in with a passkey without any second factor, even if you have one enabled (like a authenticator app).
Consider a example scenario where a user's passkeys are stored in a password manager on a desktop computer, and the user also has a previously setup second factor for their online accounts. For simplicity, assume that the password manager storing the passkeys (and passwords) is not installed on the second factor, and is installed and permanently unlocked on the desktop computer.
My understanding is that when using passkeys, an attacker would only need to gain access to a single device (the desktop computer) either physically or via network to acquire the user's passkey vault, at which point the attacker could access all the user's accounts.
In contrast, 2FA with a mobile authenticator app or a hardware key (e.g., yubikey) would require the attacker to gain access two two devices, the desktop computer AND the second factor (e.g., phone, yubikey, etc.).
Is my understanding correct in this scenario, that passkeys reduce difficulty of targeted attacks vs. traditional 2FA by reducing number of devices that need to be accessed by the attacker?
