It's neither your actual fingerprint nor a random key - it's more complex. When you create a passkey, your device generates a random private key and stores it in the secure element. Your biometric (fingerprint/face) is just the unlock mechanism for that key, not the key itself.
⚠ So if you delete and re-register a new passkey, you will not be able to restore your old private key!
So it's a random key, I think the nuance you are trying to make is that the key is created and kept in the secure element.
My follow up to that would be this:
AFAIK, you cannot do SECP256K1 on these secure elements. So how do you secure the key and use it?
AFAIK, usually you create a key in the secure element, then create another key, encrypt it with the first key and then save it to a file.
This way you can decrypt the file and load the key into memory during use, but the decryption key never leaves the secure element.
I think.
My implementation is really basic. I use the passkey's signature as Input in HKDF. Not an expert, maybe it's a really bad idea?
The workflow you described with 2 keys looks great, but I'm not sure how it can be deterministic?
