Isn't it the same for passkeys? I can put passkeys in password managers like Bitwarden, 1password, ...

Incidentally, biometric scans can also go in password managers. Turns out it's all just bits. Who knew?

The best you can do is attestation. Embed a certificate and private key in the TPM that says it's a real genuine FooBarCorp TPM, and sign all responses with that private key. This is terrible for the open ecosystem. It's also the only way to do the thing everyone sells their product on being able to do, so if it's allowed, then it's inevitable.

I think you're all missing a bit of the point.

With TOTP (as well as passkeys) you as a consumer are safe from a vendor being hacked and your credentials being leaked from their side. You're also safe from fishing attacks.

On the other side using passkeys or password+TOTP a vendor is safe from credential stuffing of credentials a malicious actor gained through the above.

Sure you can say that it's both the same factor. But even so it has real security benefits which are much more important than just fitting in authentication factor categories that were thought up more than a decade ago.

There's a big difference for a malicious actor to gain access to millions of devices to steal the TOTP crypotgraphic string of users vs gaining access to a single vendor. TOTP doesn't save you from the first case but it sure as hell saves you from the second being disastrous.