[not_that_noob]

They might call in and say they lost their token, and a competent attacker will usually have all the necessary info. Happens all the time with credit card fraud. Sure, you can notify the target that a credential was reissued, but that happens with credit cards too, and most of the time people don’t pay attention.

About 15% of the user population really cares about security and will take the right precautions. It’s the other 85% that are soft targets that keep attackers in business.

[StavrosK]

Okay, but how is that the key's fault? This has literally nothing to do with the authentication method, it doesn't give you access to any other site or anything. It's just a social engineering attack on the service, and it's pretty much the only one left because everything else has been obsoleted by the use of hardware tokens for auth.

[not_that_noob]

Not finding fault. The point of Webauthn is convenience - but the trade off is that if CTAP is compromised, it’s convenient for the attacker too.

[StavrosK]

I don't see how that's different from passwords, though. If your password gets compromised, it's game over as well, and it's much easier to compromise that.