[cuu508]

I understand that the ability to place stuff "into" a TKey would be needed to support discoverable WebAuthn credentials ("passkeys"). But would it also be needed for non-discoverable credentials?

[Borealid]

Yes, to set a PIN protecting the non-discoverable credentials. The FIDO PIN can be changed while you have access to the authenticator and not to the credentials it previously created.

[arianvanp]

User verification is optional.

If you only do user presence and non-discoverable, then WebAuthn is completely stateless and deterministic for a given (challenge,rpId,origin) triplet

[michaelt]

Isn't a 'passkey' with no discoverable credentials and no user verification just a regular U2F token?

[Borealid]

Well, it could still provide credBlob (up to 32 bytes of data stored in the non-discoverable credential and handed back after verification). But mostly yes, it's losing the advantages of FIDO2.

[arianvanp]

Modulo supporting more algorithms -- yes