[josephcsible]

> The credential is not only the user's data. The credential is an agreement for access between the user and the service provider.

The credential is, in fact, only the user's data. How does it even make sense that a credential could be an agreement?

> The service provider has every right in the world to demand the user prove that they are securely storing the credential in a way that can't be extracted.

No, nobody has any right to dictate, or even know, how my device stores my data.

[rstuart4133]

You're dictating to your bank they shall not let you money be stolen, right? Perhaps not dictating, but if you thought that was a possibility you would go to anther bank. So they can honour that agreement they are dictating to you how you store your passkeys so they can be reasonably sure people can't use them to steal you deposits. And again not dictating in an absolute sense - you are free to find another way to safeguard your money.