@rzeta0 Cryptography doesn't remove side channels - if you keep the secrets in a TPM but it doesn't use constant time operations, or if I'm able to monitor the power rails, that's not an absolute barrier. Very little is absolute - the level of security appropriate for a given problem will vary depending on what your threat model is, and I'm broadly ok with having my WebAuthn secrets in a separate VM running on the same CPU