[romwell]

>Don’t even get me started on physical security keys

Well, I haven't seen a single person who wouldn't have one. We use them for cars and houses, though.

And credit/debit cards, I bet you have them too. It's a physical security key to the ATM. Classic 2FA spirit: something you have (the card) + something you know (PIN code).

The point is, people don't have problems with physical security keys. Programmers do (and hardware vendors) do, which means no standards and clunky UI.

[oefrha]

Physical key keys go into designated keyholes, and give you physical access to something. Physical cards go into dedicated machines, and give you access to a physical transaction, cash, deposit box, etc. Physical objects for physical access.

Physical U2F keys get in the way of all-digital flows. They also need to interact with all kinds of non-dedicated devices, something they do a less than stellar job of. Bluetooth and NFC keys are young, setup process isn’t great and reliability seems to vary; USB keys require a USB port which might be occupied by other things or available only in another physically incompatible shape.

[romwell]

So, we are agreeing?

The keys aren't the problem, the engineers are. In this day and age, every device should have a digital keyhole (NFC, whatever) - and it should not take more than "insert or hold X next to Y".

Re: "physical process": something tells me you didn't type this message telepathically. UX is a physical process, and 99.99% of the time, it's doing something with your hands anyway. (Alexa/Siri/OK Google are a different beast).

If every other phone can have a fingerprint scanner, it can have something for actual keys too.

Moreover, imagine this: your devices could have built-in hardware keys that you can register with your bank/etc should you desire that convenience.

Still proper 2FA: your phone number is just an account, which is at the whim of your service provider, but your device is something you have.