[StavrosK]

Okay, but how is that the key's fault? This has literally nothing to do with the authentication method, it doesn't give you access to any other site or anything. It's just a social engineering attack on the service, and it's pretty much the only one left because everything else has been obsoleted by the use of hardware tokens for auth.

[not_that_noob]

Not finding fault. The point of Webauthn is convenience - but the trade off is that if CTAP is compromised, it’s convenient for the attacker too.

[StavrosK]

I don't see how that's different from passwords, though. If your password gets compromised, it's game over as well, and it's much easier to compromise that.