[PudgePacket]

Just tried webauthn.io. Doesn't even work :/ I clicked register and it said "Use your security key now or cancel". What does that even mean? What's a security key? Is it a setting in my browser? I have lastpass installed, can it use that? Is it supposed to integrate with the Mac keychain somehow? Gave me no options but cancel.

Pretty underwhelming if that's the future of web auth..

[tialaramex]

A Security Key is a physical object. For example here are some reviews by tech press people:

https://www.zdnet.com/article/best-security-key/

https://www.wired.co.uk/article/best-security-keys

Or here's an actual expert writing about them a few years ago if you suspect "tech press people" are worthless:

https://www.imperialviolet.org/2018/03/27/webauthn.html

Or, more practically, if you have a nice phone, try visiting it on that. If it's a relatively modern iPhone or high end Android with a touch sensor running the current OS version you can use that.

Since you mentioned Mac keychain, if your Mac has TouchID that will work on the current OS (in Safari at least) too. Some Windows PCs with fingerprint sensors likewise.

[GoblinSlayer]

Isn't biometric authentication just a huge password reuse that you can't even stop?

[tialaramex]

Sure. But biometric authentication for WebAuthn or the related mechanisms built into iOS and Android themselves only takes place on your device. So at the extreme to "stop" you can just replace that device, I understand most people do that every few years anyway.

WebAuthn doesn't end up with a third party (say, Facebook) having biometric data, what they've got is just a public key and an identifier. Your device is signing to say it checked you are still you, whoever that is. It does not promise how it did that and there's no reason a web site would care.

Your biometric data (if that's how you authenticate) is only needed by your device, to verify this is still you when it makes that claim. So any changes (e.g. you decide to use your other hand) are a local device problem, no need to tell any third parties anything interesting happened.