I -- literally -- do not care about a single "account" in any "service" I use aside from my email and bank account. Most people would add a few social media accounts to that list.
You don't need a "place to put secrets". Your iPhone app does not do anything important enough to require a "trusted chain" of cryptographic bullshit, just use a password and Google/Apple login.
The reality is that there is software dependent on the user being unable to modify it. This safeguards the server against fraudulent users.
And what actual applications did you have in mind that warrant throwing everybody under the bus? (by that I mean some applications (allegedly) need it, so it gets forced on everyone)
Passkeys absolutely do not need TPM.
You can get passkey support in any browser with a simple 1password plugin without any TPM hardware.
The same way you could get a TOTP app on your phone without any TPM.
TPMs are just an extra security layer for most usages.
They are mainly a necessity for some shady business like DRMs.
They do not, but how does the service you’re using know your passkey is secure? For all they know you’re just some gullible user that clicks through every fishing email you get. You’re dumb, weak, helpless, they gotta protect you from this scary world out there, and maybe yourself as well.
They can’t do that if they allow your passkey to be stored anywhere you control. KeepassXC? The second you type in your master password the keylogger will snatch it, and your entire database with it!
Okay, maybe you’re some hot shot cryptographer, you’re using a TKey (think Yubikey, except you have full control), and there’s no way your secret key leaves it even if your main computer is fully compromised. Well, the service doesn’t know that. All they see is your public key and a matching signature.
So, sorry Mr. Security Researcher, we’re gonna have to be safe, and require you to use approved hardware only. Too many (wo)men children out there must be protected, we have no way to tell you’re not one of them, so it’s remote attestation or you’re out. What’ online buying worth for anyway, when you can just cross the ocean?
---
Just so we’re clear, I agree with you here. But don’t forget there are two kinds of passkeys out there: with or without the evil remote attestation. And many companies will push for the remotely attested kind, using the exact argument I used above, except with a straight face.
Or they will just present a false dichotomy: remotely attested passkeys on the one hand, short easy to guess reused everywhere passwords on the other.
Passkeys are non-phishable. That's part of their schtick. I'm not a huge passkey fan myself, but this is a real benefit.
I had an idea to create blatantly insecure passkey browser extension. Maybe I should do that.
The problem lies in companies like Apple/Google/Microsoft rejecting attestation that they do not control.
People confusing big tech's policy choices with tech features have made "I want my laptop's auth token to only be usable on my laptop" a controversial opinion.
TPMs are a fucking mess. TPM 2 at least, I’ve worked with it for a few months. I love me some hardware security module, but I want to control it. And if it must be a standard, please please to something like the TKey, so it can be both much simpler than current ad-hoc standards and future proof.
Does it? Why waste time on developing exploits when you can just call up grandma and get her give you the money by her "own" volition - using her secure device - by pretending to be the bank/IRS/her grand daughter using AI voice/etc.
"I don't use a TPM in my computer so it shouldn't exist" has always sounded like a weird argument against the tech in my opinion.
Many Android phones have their secret storage implemented as a virtual machine rather than a TPM. The lack of a TPM doesn't suddenly give me any more freedom, although it does come with security downsides.