> Passkeys are better passwords. They need a TPM.

Passkeys absolutely do not need TPM.

You can get passkey support in any browser with a simple 1password plugin without any TPM hardware.

The same way you could get a TOTP app on your phone without any TPM.

TPMs are just an extra security layer for most usages.

They are mainly a necessity for some shady business like DRMs.

Run vaultwarden locally. Install bitwarden. Now you have software-only implementation of passkey. Dig into vaultwarden sqlite database and you'll find passkey data there. Extract and save it on disk and you have exportable passkey. See, it's all security theater without remote attestation.

I had an idea to create blatantly insecure passkey browser extension. Maybe I should do that.