their approach is a one which is fully stateless on the chip (see their documentation for why)
theoretically this is quite desirable but various protocols aren't build in a way enabling it
e.g. TOTP pushes a secret from the server to the client, instead of having some form of deterministic key exchange
similar while FIDO protocols and passkeys could have been designed in a way which can work fully stateless they are not
now it doesn't mean you can't make it work with tkeys but it can get more complex e.g. for TOTP using TKey to guard a local password vault which then does the TOTP instead of having the TOTP on the key directly (but then while TOTP is better then SMS 2FA it's still pretty bad compared to what technically is possible, like much worse then a lot of people realize)
> similar while FIDO protocols and passkeys could have been designed in a way which can work fully stateless they are not
It's been a while since I've looked deeply at FIDO, but I think they would have had to make a handful of nontrivial security concessions to make WebAuthn stateless. One pretty important one that comes to mind is the token counter, which in principal enables RPs to detect a cloned credential.
The problem starts earlier with the secret key which you can't place "into" a TKey. You can deterministically derive one between the TKey and a server using some thing like a (semi) static DH but that isn't how it is implemented in general.
I understand that the ability to place stuff "into" a TKey would be needed to support discoverable WebAuthn credentials ("passkeys"). But would it also be needed for non-discoverable credentials?
Yes, to set a PIN protecting the non-discoverable credentials. The FIDO PIN can be changed while you have access to the authenticator and not to the credentials it previously created.
Well, it could still provide credBlob (up to 32 bytes of data stored in the non-discoverable credential and handed back after verification). But mostly yes, it's losing the advantages of FIDO2.
theoretically this is quite desirable but various protocols aren't build in a way enabling it
e.g. TOTP pushes a secret from the server to the client, instead of having some form of deterministic key exchange
similar while FIDO protocols and passkeys could have been designed in a way which can work fully stateless they are not
now it doesn't mean you can't make it work with tkeys but it can get more complex e.g. for TOTP using TKey to guard a local password vault which then does the TOTP instead of having the TOTP on the key directly (but then while TOTP is better then SMS 2FA it's still pretty bad compared to what technically is possible, like much worse then a lot of people realize)