If a passkey is something you know then you are using a failed implementation. A fido/authn device is supposed to be able to attest to never having let the private key out, even with a relaxation to passkeys it should at least be sending it to another device that can attest.
JohnFen|2 years ago