Passkeys are just sparkling TLS client certs

@xssfox worse, since their cryptographic auth is one-time, exchanged for a long-lived stealable cookie