That said, there was crazy homophobia back then.

Yes, not to understate it. Though it was a few years earlier, Matthew Shepard’s murder was prominent, and similar homophobic killings continued into the 2000s. Nightclub shootings took headlines this decade & the last, too. While parts of society seem more tolerant nowadays, regressive parts of society have hardly changed at all, so it’s hard to gauge.

That take seems a bit inaccurate.

Metrosexual meant going above & beyond in male beauty care (a pretty low bar): going to a salon to get manicures & pedicures, maybe apply foundation & eyeliner, manscaping. Possibly wearing those low-heel shoes that show the ankles without socks.

I also remember the words fag and like being ambiguous such that in written contexts I’d sometimes see the clarification good kind of fag to mean homosexual in contrast to an insult directed at someone the insulter dislikes (for being pretentious, aggravating, annoying or whatever). In speech, the distinction was often understood from tone & context, so someone could be a fag (homosexual) yet not an effing fag (detestable), and their company might be absolutely welcome for that reason. An insulter would usually pile on imagery of the subject performing homosexual acts as the recipient of such insults typically disapproves portrayals of themselves that way. The insult was a way to puncture egos & authorities claiming a traditionally masculine image. It wasn’t particularly effective against out & proud homosexuals or people who weren’t homophobic. While fag wasn’t always an insult, however, bigots & religious zealots often drew no distinction, either.

Passkeys or WebAuthn are an open web standard, and the implementation is flexible. An authenticator can be implemented in software, with a hardware system integrated into the client device, or off-device.

Exportability/portability of the passkey is up to the authenticator. Bitwarden already exports them, and other authenticators likely do, too.

WebAuthn relying parties (ie, web applications) make trust decisions by specifying characteristics of eligible authenticators & authentication responses & by checking data reported in the responses. Those decisions are left to the relying party’s discretion. I could imagine locked-down workplace environments allowing only company-approved configurations connect to internal systems.

WebAuthn has no bearing on whether an app runs on a custom platform: that’s entirely on the developer & platform capabilities to reveal customization.