Currently, to my understanding, Passkeys/FIDO2 credentials are implemented in stock Android via Google Play Services. Quote from this page suggests so:
To try this today, developers can enroll in the Google Play Services beta and use Chrome Canary. Both features will be generally available on stable channels later this year.
A passkey implementation without google play services would be very useful. Maybe one miraculous day it can even be landed upstream in AOSP (but that day will likely never come). I know that passkeys are meant to be resistant to device loss, and that's pretty much impossible without an insert something account with cloud sync which goes against the principles with the OS. Maybe an approach similar to Seedvault, i.e. backups to USB or self-hosted cloud would be viable, but that would require a file format etc etc...... I'm just rambling on here so I'll stop.
Any plans for an implementation in GrapheneOS?