I've never tried to use passkeys, but determined a while ago my hard, non-negotiable, a priori requirements which would have to be met for me to be willing to use them:
1. I can, if I choose, have a passkey in software (no hardware enclave, no
captive key, no TPM) even if the security of that sucks:
=> Implication: I can backup and copy a passkey without restriction, e.g.
putting the key material in an airgapped password safe, and without that
being visible to a website.
=> Implication: Websites can't discriminate by whether I have a passkey in
software or have any part in deciding whether I get to backup, copy or
transfer a passkey.
2. I can disable any attestation functionality to do my part to prevent
any online service from making it mandatory.
I haven't looked into this yet, so: do, or can, passkeys, or the contemporary WebAuthn implementations in Firefox or Chrome on Linux, meet my requirements?
> I can backup and copy a passkey without restriction ...
We were so very nearly there with U2F... I did extensive testing and you can have a U2F (Fido2/webauthn) device deriving it's private keys, never leaving the device's HSM, from a BIP-44/BIP-39 seed. You write 12, 18 or 24 words down (out of a dictionary of 2048 words) and with these words, you can always reinitialize another Ledger Nano (a cryptocurrency hardware wallet but I didn't care: I was after the U2F "nano app").
It just worked. It was beautiful. My seed were written on paper sheets which I'd store in a safe at the bank / at my parents' home, etc.
As a bonus the hardware device would display, on its little screen, if you were enrolling or login (a useful info) and, for known provides, it'd display the name. For example "login to google?" / "enroll to dropbox?".
Pure beauty.
Then sadly this trainwreck that passkeys are happened, greatly lowering not only the security of 2FA (someone is in control of all your keys and they can be "backed up": what a concept!) but also making you lose the ability to backup your own keys/seed.
I do really hope at some point we see a future "passkeys nano app" for hardware devices on which the user is in control of the master seed used to derive the keys. It worked for FIDO2/webauthn. I hope it'll work again at some point in the future for passkeys.
I wish Yubikey allowed users to import their own FIDO2/webauthn seed and overwrite the factory generated one, and then also allow the resident passkey functionality to be disabled.
It should be up to the user if they want to have multiple duplicate hardware authenticators and be able to backup their seed however they wish.
Firefox and Chrome display a permission dialog when a website requests attestation, and you can deny it. If you deny it, the website has no idea how your passkey is stored, allowing you to use a pure-software solution if you so desire. The website could discriminate against you for denying attestation, but note that Apple always denies attestation for passkeys, so websites intended for the general public are unlikely to discriminate against users who deny attestation.
So yes, I believe your requirements are met in practice.
1Password includes Passkeys in archive/exports of the 1Password database. Safari developers have stated that it is a planned feature to support Passkey exporting (but not currently supported) including between apps.
I'm not aware of any restrictions at this time on your second point. I also haven't seen any examples of attestation and Passkeys being used in practice.
1. I can, if I choose, have a passkey in software (no hardware enclave, no captive key, no TPM) even if the security of that sucks:
2. I can disable any attestation functionality to do my part to prevent any online service from making it mandatory.I haven't looked into this yet, so: do, or can, passkeys, or the contemporary WebAuthn implementations in Firefox or Chrome on Linux, meet my requirements?