[warkdarrior]

If the computer where registration happens is not trusted, no authentication protocol will help. Compare this attack ("malicious computer substitutes passkey at registration time") with a password one ("malicious computer substitutes password at registration time").

[lxgr]

But unlike a compromised password, a compromised passkey can be detected much more easily, since the "real" key will end up not working, unless the attacker also adds it to the victim's account.

[Ferret7446]

Then it should be very obvious if the site displays the user's registered passkeys.