The web is a wonderful place: open, permissionless, linkable, and composable, but it also contains many dangers, with numerous actors—both vulnerable and malicious.
Self-custody key is difficult, and Passkey is, in effect, going to be a custodial solution, so you need a separate app outside of the web, which introduces friction.
The ideal solution is to structure an isolated and secure environment within the web itself and bridge only the results of signing and decryption to general web apps and extensions, with seamless integration. Here is one possible path to achieve that.
For example, it enables users to: