I do respect Moxie Marlinspike, but I'm not sure he "came up with this idea". I read about it first from the author of Age [1]. And to me it seems like whoever worked on adding a PRF extension to WebAuthn probably knew that PRFs are cool and could be used for cool stuff.
All that to say, I don't feel a need to attribute that to someone in particular, but if I did, I would want to be sure I am right.
> In practical terms, this replaces a lot of the awkward machinery behind encrypted systems. End-to-end messaging usually requires long-lived identity keys, recovery phrases, or some form of server-assisted key escrow. Encrypted SaaS products often rely on password-derived keys or server-stored wrapped keys for recovery. Using passkeys and the WebAuthn PRF shifts that root of trust into hardware-backed credentials that already exist on user devices, reducing both system complexity and the number of high-value secrets stored on servers.
I hope that makes the reason for my post clearer? Thank you for your comment, I'm pretty new to writing blog posts and your comment identified that I clearly hadn't properly communicated why I though the approach was novel or exciting. It might have been obvious to some, but having Moxie do it in a product makes it much easier to justify by coping his approach.