If you have an app that doesn't use password manager APIs like 1Password you are responsible for security breaches, not your users

Even for the most security-conscious users

Similarly, if you don't support 2FA or only support one 2FA app or one brand of security key. You're now more culpable than your users