[TheNewsIsHere]

The idea of using passkeys as a tracking mechanism is intellectually interesting but I am dubious that it's technically feasible with the current design.

Passkeys, be they platform or roaming authenticators, are generally bound to a public key and/or a public key + domain name. My understanding of the design is that the specification doesn't contemplate the idea of passing around passkeys via CORS or similar mechanisms. Part of the security design rests on mutual authentication by means of asymmetric cryptography.

As long as passkeys require user interaction there is a lot of friction to attempting that. And even if you could get over that hurdle, you still have all manner of other browser based hurdles.

What you could do is bind a passkey authenticated user to some kind of session/cookie tracking, but ITP/per-domain cookie restrictions would still block that.