Break into separate issues:

• Server side API
• Client side components

• allow users to use either on-device enclaves OR 3rd party passkey hosts (e.g. LastPass, 1Password, etc)
• Don't force web users to scan a QR code if the device supports native enclave