> I don't do that. My password manager simulates keystrokes 2 seconds after I hit the button.

So a malware on your computer can just listen to the keystrokes, or read on the screen? If the OS is compromised, they can extract the password. With a passkey they can't.

> So we're back to 1FA now but just "something you have" and no "something you know" ?

You can set up a PIN on your Yubikey, so that's "something you have" and "something you know", and you can request physical presence ("touching the yubikey") on top.