[JeremyNT]

> I can see cross-platform virtual authenticators like the one you're working on becoming more common, and I don't think it's unlikely that the OSs will offer APIs to back these keys with TPMs/Secure Enclaves, and will allow you to replacethe built-in passkey manager with a third-party, much like they do with password managers today.

It seems like you know more about this space than I do, so maybe you can explain it to me. What incentive do players like Apple and Google have to allow this to happen? Don't all of their incentives point to eventually requiring attestation from trusted hardware devices and increasing lockin?

[WorldMaker]

You can't export hard TPM keys so attested keys become recovery bottlenecks in the user experience. Sure, that's a potential moat to prevent people as easily jumping between walled gardens, but it's also a moat that accidentally can just make your users unhappy if they end up in an unhappy path in your walled garden. People lose devices and need hard recoveries all the time. If they can't get past the moat, they are just as likely to jump to your competitor anyway if they are "starting over".

For what it is worth, Apple has recently stated that they don't see a lot of day-to-day need for hardware-attested keys and their Passkeys implementation is working to avoid them in most cases in practice, in large part especially due to that user experience of preferring comfort and recoverability over lock-in.