I checked the way they are implemented in BitWarden, and it's straightforward.
BTW, the blog is disingenuous. The removal of device attestation from PassKeys was a great boon for compatibility. And the experience with resetting key storages or not having enough slots are simply bugs and/or limitations of hardware. Which was to be expected from a new technology.
Did they remove attestation? The blog implies they didn't when it says: "a security key ... fail to register ... since the IDP rejected the device attestation." What they removed was a browser API that allowed the IDP to filter the available passkeys, so they could tell the user which of the available keys they would accept before they tried to enrol it.
I gather attestation is rarely used by IDP's. That makes sense - why force a low security web site like a forum to keep a list of acceptable token models. However some sites like banks and my Federal Government absolutely need guarantees on how well the secrets are managed. Without it, they will remain with their current "roll their own" solutions. Providing an API that lets their web page say "no we won't accept your North Korean made phone as an authenticator" seems perfectly reasonable to me. That would be the API that Chrome refused to implement.
