My passwords are bound to a domain and Bitwarden will refuse to autofill if the domain doesn't match. I can copy the password manually if I care to, but that's true in every passkey implementation that I've seen as well: they're never the only login option, you can always log in with a password too.
I don’t understand what you mean, sorry. If you are manually copying a password, then you are not using passkeys? There is nothing to copy/accidentally leak with passkeys.
I guess it will be a while before passkeys are the _only_ option that websites accept
I'm saying that as long as websites use the username/password model alongside passkeys with no way to turn off the former, you're just as at risk of phishing with passkeys as I am with domain-bound autofill.
Either one of us would have to choose to manually copy our logins into a phishing form in order to get phished.
