Passkeys would be better without remote attestation, no doubt. But remote attestation is not only optional but also, passkeys are not a prerequisite for requiring remote attestation.

Lots of services that don't support passkeys currently require remote attestation. Boycotting passkeys (an open, possibly beneficial tech that doesn't require remote attestation) will not prevent bad actors from requiring remote attestation (with or without passkeys).

Agreed. Boycotting them is necessary but insufficient.

No, boycotting them is entirely orthogonal to the issue. Passkeys have no role in ensuring that we do or don't rely on remote attestation - they're two totally separate considerations.

Passkeys have many benefits over current alternatives for auth, & the inclusion of remote attestation doesn't make them worse than current auth because all current auth can be coupled to remote attestation.

Continue to oppose remote attestation but do use Passkeys. They're a massive improvement.