Absolutely, passkeys couple a trusted device (typically a phone with HSM) with asymmetric encryption.
HSM ensures that the device is actually the device it claims to be, as the key cannot leave the device, and by coupling it with biometrics, which is authentication, you prove to the device you are who you claim to be.
So by the device authenticating you, the device by extension can authenticate you against the remote site using a cryptographic challenge.
There is no vendor lock in however. You can use a password manager like 1Password to store passkeys, or even Apples keychain supports synchronizing the passkey across devices (including windows). KeepassX also supports passkeys, so it’s not limited to official vendors like TPM.
As for HSM, you can also use something like a Yubikey.
HSM ensures that the device is actually the device it claims to be, as the key cannot leave the device, and by coupling it with biometrics, which is authentication, you prove to the device you are who you claim to be.
So by the device authenticating you, the device by extension can authenticate you against the remote site using a cryptographic challenge.
There is no vendor lock in however. You can use a password manager like 1Password to store passkeys, or even Apples keychain supports synchronizing the passkey across devices (including windows). KeepassX also supports passkeys, so it’s not limited to official vendors like TPM.
As for HSM, you can also use something like a Yubikey.