Webauthn actually fully supports this model as "platform authenticators", ie hardware security modules built into the client system. You see this on the windows side too where "Windows Hello" integrates with the TPM and acts as a platform authenticator as well.
Yup. A site can even say "I want a platform authenticator" or "I specifically don't want a platform authenticator" during registration using the Javascript API.
Most sites should just not care, but it's an option if you've determined there's a specific reason it matters in your application.
> A site can even say "I want a platform authenticator" or "I specifically don't want a platform authenticator" during registration using the Javascript API.
Websites should not depend on JavaScript for something that should be able to be done declaratively.
(Amongst other things - we shouldn't need to use `fetch`/`XMLHttpRequest` when a <form> would work just-as-well - but if only <form> let us use more than just GET and POST, and supported more types of serialization, and supported asynchronous form submission - and bring back <keygen>!).
* you don't need the TPM for Windows Hello to act as your security key. I can't enable BitLocker because there's no TPM yet I have Hello enrolled as a key for GH.
And yes, there is a way to use it without a TPM technically, but it's not accessible by the computer's management GUIs, and you need to create custom GPOs and apply them.
No need to speak roughly.