[D-Nice]

It's a definite improvement, and good point indeed regarding phishing... just as your answer precludes, a whole different authentication mechanism is needed to avoid phishing, that is why unfortunately that couldn't make my list. However, it does protect your other accounts from getting breached if one is either phished or breached, which I considered to be good enough.

WebAuthn does have its own issues and complications, mainly with how to handle account recovery on a lost or corrupted device. Sure, you can have a replacement device, as likely me and you try and do for most things, however, this is too burdensome for many.

I think the biggest issue with any new spec like WebAuthn is vendor adoption. As is... many banks fail to have any 2FA, and those that do, give you the terrible choice of SMS 2FA. In addition, they have odd and archaic password requirements, such as only these symbols, and only up to 20 characters etc... If they have failed on rectifying these in the last 2 decades, I'm afraid how far in the future away something like WebAuthn is to being in realized use. Hence I made SrsPass as hopefully a solution to today's passwords problems, the ones I considered sanely resolvable.