As I understand this, if malware is on the machine it can do unlimited WebAuthn validations in the background without user interaction.

Anchoring to physical human interaction with a button or biometric sensor is a huge security property I don't think current gen TPMs can solve for.

In a typical implementation someone must be present at the machine expecting a tap, and tapping.

That said, overall this is a clever best effort for when a TPM is all a user has and you at least want to prove a given machine is involved in with.

If malware is on the machine you are basically screwed anyway. A threat model where you happen to never authenticate with a service while you have the malware installed is not especially compelling.

That's really cool. Is it possible to use it without a hardware TPM, for testing? I have used rust-u2f in the past for that purpose.

Yup, there's a flag `-backend memory` that generates ephemeral keys in memory.