[FreakLegion]

Correct, individual sites could make that choice. They won't, but they could. (Love the mention in the linked comment of Netflix and Disney, two services that don't even support proper MFA.)

We're completely on the same side, to be clear. I just have zero fear of KeePassXC (which I sometimes use with Okta!) being blocked by anything consumer-facing.

[commandersaki]

Apple does precisely this for Apple account, you need to have a hardware attested passkey implementation to authenticate using passkey.

Edit: forgot to add Apple account

[FreakLegion]

To your edit: I suppose this is strictly true, but it's relevant that Apple's own devices satisfy the attested hardware requirement. These are the same devices you need to have a full-fledged Apple account in the first place. That's more Apple doing Apple things than anything to do with passkeys, but it is indeed an example of not being able to use KeyPassXC. Will there be more than epsilon cases like that? I still don't think so, for what seem like obvious market reasons.

[commandersaki]

Will there be more than epsilon cases like that?

I anticipate banks, enterprise sso login, etc. doing this.

[FreakLegion]

To authenticate to what? I have a few dozen people using passkeys on macOS without attestation, but I'll admit none of them are logging into "Apple".