[nickray]

As Stavros mentions, you can, and if you feel qualified, you should manage your own keys. Be that with some software authenticator you deem safe or write yourself, or with e.g. our keys that are open source, so you can modify anything to your liking, etc. etc.

I sense a bit of 90s security thinking from your arguments though, where every end user and mid-level admin handles security decisions they're frankly not qualified for.

This is what I meant by "safe defaults". Yes some people use e.g. password managers, but no, most people don't. Yes, some people manage to use GPG to manage their ssh keys, but no most people, even qualified, don't/can't/won't.

"Bad defaults with patches hopefully making it safe" is just not the way we should be heading.

[StavrosK]

I agree with all of your points, I'd just like to point out that, even if everyone ends up using software authenticators (password manager-style) with WebAuthn, we'll still be in a much better position than we are today, where people just use the same insecure password everywhere.

[sam_lowry_]

>every end user and mid-level admin handles >security decisions they're frankly not >qualified for.

It's better for the society to let them make their share of mistakes. In the longer term, everyone will be safer and, incidentially, more intelligent.