I expect there will be backlash from non-technical users due to issues like the comment below where the passkey pushers fail to communicate where the keys are stored and thus users unexpectedly lose access to them.

> I would say "I'm sure they mean well",

Yeah, I wouldn't say that. It's clear from their public comments[1,2,3] that the spec authors don't believe the private key actually belongs to the user to do what they want with. They see services restricting what users may do with their own logins as a feature of Passkeys. It's really a shame it went in this direction. Replacing passwords with an easy-to-use keypair auth system would be a massive security improvement. But the Passkey ecosystem is poisoned at this point. Unless they remove the client ID & attestation anti-features, it should be considered a proprietary big tech protocol.

[1] Threatening an open-source passkey client with server-side bans because they don't implement passkey storage on the client device in the way the spec authors prefer. https://github.com/keepassxreboot/keepassxc/issues/10406

[2] Maintaining a list of "non-compliant" clients, including the above open-source one, presumably for use in server-side bans. https://passkeys.dev/docs/reference/known-issues/

[3] While writing an article about this on my website, I actually emailed the two involved spec authors on the above issue, politely asking how their interpretation of the Passkey spec could possibly be compatible with open source software. Neither replied.

Thankfully open source software is not subject to that, so FOSS password managers should be fine. Doesn't mean that other forces won't try to tear them down, however.

Don't store passkeys in hardware. They are more secure that way, but more dangerous if you lose them. Your passkeys were stored on the old CPU and are gone. If you do, you need to store on multiple devices like phone, tablet, and computer, but that is harder to manage.

Better to store passkeys in password manager. Then they become more secure passwords. The big advantage is that they can't be phished, and sites don't use 2FA with them. It also means you can choose password manager that you trust and work better than Apple and Google.

Yep, big problem with them: most users have no idea where the thing that pops up and offers to store the passkeys actually stores them (sounds like in your case, in your computer's TPM was either on the CPU you replaced or complained and reset itself when the CPU changed). It's a ticking timebomb that all the 'users love passkeys! (after we nag them about it every time they login until they give up)' blogs fail to catch.

You could have used an open source client to manage your passkeys as you like, including backing them up in your own storage format. I wrote about it here: <https://www.smokingonabike.com/2025/01/04/passkey-marketing-...> I was quite excited about it... until I found out that the Passkey spec authors have warned that client that it may face server-side bans because it lets you manage your own private key how you want, and the spec authors think this is appropriate for servers to do. So I deleted all my Passkeys. Sigh.