Secretive is great. I use it on my T2 and M-series Macs and feel much better with keys sitting in those machines' secure enclaves than I did back when it was just sitting in ~/.ssh/ for anything to grab.
I just wish there were something as clean as Secretive for using generic PC TPMs or YubiKeys in place of a Secure Enclave under Windows and Linux. Currently have a Linux laptop halfway through setting that up and it's messy in comparison.
Physical presence makes sense. I didn't really think it through but it's just the same as any other 2FA: you want something you know and something you have. Thanks.
It's not a perfect rule but anything a generation or two behind and has a GPU that's either integrated (Intel or AMD) or discrete AMD with Intel wifi and bluetooth are going to have a pretty good chance of handling a reasonably recent Linux distro (e.g. Fedora or Ubuntu non-LTS) well. While Nvidia provides official Linux drivers, I've personally had more trouble out of them than I have the stock Linux drivers for Intel and AMD GPUs.
Any laptop that is listed as supported by Windows 11 will have an onboard TPM.
For Windows, it seems it's possible[0, see footnote], however there are problems like general incompatibilities [1], and official support status is " We have this in our backlog. At this point it's not prioritized.".
0.footnote: "Windows Hello also supports other types of authenticators like internal TPM device(if they support generating ECDSA or Ed25519 keys, they can be used instead of FIDO/U2F security keys)."
I just wish there were something as clean as Secretive for using generic PC TPMs or YubiKeys in place of a Secure Enclave under Windows and Linux. Currently have a Linux laptop halfway through setting that up and it's messy in comparison.