Requiring "tokens" stored in "trusted modules" and 7-factor-auth for everything is not progress, it's theater. The biggest achievement of the security orthodoxy was locking me out of my email, by requiring me to read a code sent to my email to log into my email.

I -- literally -- do not care about a single "account" in any "service" I use aside from my email and bank account. Most people would add a few social media accounts to that list.

You don't need a "place to put secrets". Your iPhone app does not do anything important enough to require a "trusted chain" of cryptographic bullshit, just use a password and Google/Apple login.

Passkeys are better passwords. They need a TPM.

What about Apple Wallet?

The reality is that there is software dependent on the user being unable to modify it. This safeguards the server against fraudulent users.