I -- literally -- do not care about a single "account" in any "service" I use aside from my email and bank account. Most people would add a few social media accounts to that list.
You don't need a "place to put secrets". Your iPhone app does not do anything important enough to require a "trusted chain" of cryptographic bullshit, just use a password and Google/Apple login.
An old account with typical activity patterns can be extended some level of trust. If you sign up for an email address and immediately send a message with 100 recipients in CC, you're probably a spammer, so you get blocked. If you've used the account for years, ehh it's probably invitations to your high-school reunion or a donation drive for your Church, let's let this one through.
You can only extend this level of trust if you prevent your gullible users from constantly getting hacked; 2FA is one way to do that.
Passkeys absolutely do not need TPM.
You can get passkey support in any browser with a simple 1password plugin without any TPM hardware.
The same way you could get a TOTP app on your phone without any TPM.
TPMs are just an extra security layer for most usages.
They are mainly a necessity for some shady business like DRMs.
They do not, but how does the service you’re using know your passkey is secure? For all they know you’re just some gullible user that clicks through every fishing email you get. You’re dumb, weak, helpless, they gotta protect you from this scary world out there, and maybe yourself as well.
They can’t do that if they allow your passkey to be stored anywhere you control. KeepassXC? The second you type in your master password the keylogger will snatch it, and your entire database with it!
Okay, maybe you’re some hot shot cryptographer, you’re using a TKey (think Yubikey, except you have full control), and there’s no way your secret key leaves it even if your main computer is fully compromised. Well, the service doesn’t know that. All they see is your public key and a matching signature.
So, sorry Mr. Security Researcher, we’re gonna have to be safe, and require you to use approved hardware only. Too many (wo)men children out there must be protected, we have no way to tell you’re not one of them, so it’s remote attestation or you’re out. What’ online buying worth for anyway, when you can just cross the ocean?
---
Just so we’re clear, I agree with you here. But don’t forget there are two kinds of passkeys out there: with or without the evil remote attestation. And many companies will push for the remotely attested kind, using the exact argument I used above, except with a straight face.
Or they will just present a false dichotomy: remotely attested passkeys on the one hand, short easy to guess reused everywhere passwords on the other.
That's my business, not theirs. If my password gets stolen, that's my problem, not my bank's. Same deal if my passkey gets stolen. They're welcome to try to educate me on good security hygiene if they want, but what hardware I use to secure my credentials is not something they should get to decide.
Passkeys are non-phishable. That's part of their schtick. I'm not a huge passkey fan myself, but this is a real benefit.
A chip which you can write to and interact with but can't read is valuable; it lets you enforce conditions which you otherwise couldn't. For example, you can protect your sensitive data with a 6-digit pin, secure in the knowledge that the chip will erase the encryption key after 10 failed attempts. If you had full access to the TPM storage, you could brute force that PIN in seconds.
I had an idea to create blatantly insecure passkey browser extension. Maybe I should do that.
The reality is that there is software dependent on the user being unable to modify it. This safeguards the server against fraudulent users.
And what actual applications did you have in mind that warrant throwing everybody under the bus? (by that I mean some applications (allegedly) need it, so it gets forced on everyone)
That the laziest of us don't mind and the worst of us want something is not a respectable argument for anything, ever.
Anyway flawed implementation doesn’t mean that hardware attestation is a fundamentally useless primitive. Apple Wallet is responsible for millions of transactions a day.
