TOTP Apps vs Windows Hello Passkeys for 2FA

Windows Hello supports device-bound passkeys so you can use your Windows PIN or biometrics as 2FA/logins for websites. If I understand correctly, Microsoft does not have access to them, and you are unable to store them on the cloud even if you want to.

Also, isn’t using a password manager to store passkeys functionally the same as using password managers for TOTP? One of the very first articles in Privacy Guides warns against that:

Privacy Guides

Password Managers - Introduction to Passwords - Privacy Guides

Passwords are an essential part of our everyday digital lives. We use them to protect our accounts, our devices, and our secrets. Despite often being the only thing between us and an adversary who's after our private information, not a lot of thought...

”Don’t place your passwords and TOTP tokens inside the same password manager

When using TOTP codes as multifactor authentication, the best security practice is to keep your TOTP codes in a separate app.

Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.

Furthermore, we do not recommend storing single-use recovery codes in your password manager. Those should be stored separately such as in an encrypted container on an offline storage device.”

Getting a hardware key seems like maybe overkill to me, I’m not sure. What do you think?