IMO one of the biggest issues with the Passkey spec is that it doesn't provide a way to automatically rotate credentials. The entire security model relies on Apple/Google/[insert name of nonprofit they end up allowing through the DRM gates to avoid antitrust suits] being completely infallible, forever.