It’s definitely something I would want, but as you hinted at yourself, if there’s no remote attestation, the user can just use a software TPM. So, a company using passkeys has two choices:

- Enforce DBC with remote attestation. This raises the security floor, but enforces device vendor lock-in, and prevent users from selecting unapproved, but potentially even more secure, devices.

- Do not enforce DBC. This lets users use less secure virtualised devices, but there’s no vendor lock-in, and those who want may use the latest most secure device ever.

Which alternative is appropriate is now a social & political problem. My opinion is that for general computers released to the general public, remote attestation is never legitimate. Even with the best of intentions it is fundamentally uncompetitive, and they make it way too easy to go full Evil Corp. Specialised appliances and employees however are different stories.

---

Anecdotally, I have worked on TPM provisioning a couple years back, and I had to warn my hierarchy that doing it the way they specified, the TPM could be impersonated: we checked the signature of the certificate, but failed to compare the certificate root with the manufacturer’s keys. My boss didn’t believe me, until I showed the production code happily provisioned a software TPM, without detecting the impersonation. (Actually, he didn’t believe me even then, I had to go over him to the security specialist.)

This was totally a case of remote attestation. But I believe this particular case was legitimate, because it was a specialised appliance (electric car charging station), that was meant to process payments, similar to a gas station terminal.