[nickray]

SoloKeys person here ;) You can implement software authenticators (listening on local USB port), I imagine some password manager people will do so eventually, or have a direct way to hook into requests. Krypton did this for U2F.

Hardware keys are for if you want hardware security, obviously they can't be free unless you want someone with a different business model to subsidise them.

[cr7pt0]

Yes software authenticators that use a security key for OTP are a good option. This is what Yubikey does with the Yubikey Authenticator. As with most security things there are tradeoffs to each approach. The pro of a software authenticator is that you can have an unlimited number of accounts, the con is that it requires the user to install an app on their phone/computer (in some cases the OTP shows up in a desktop app it may be possible for hacker to intercept). With the OTPs being generated and typed by the key itself the pro is that you don't have to install an app and login can be faster because the OTP is typed for you, no reading and typing it manually (also harder to phish). The con being you can't store unlimited accounts and since the key is typing the OTP the key has to be physically connected to a phone/computer.

[sam_lowry_]

Listening to local USB port? Hm... Why should I listen to a local USB port to exchange keys in a PKI? This only proves my point that WebAuthn is about hardware replacing passwords.

[nickray]

Yes, WebAuthn is about getting rid of passwords. They're a bad idea, for most people, in most situations.