[Spivak]

I really don't get the hype about WebAuthn. It's only real protection against phishing is that credentials are associated with a particular domain which has been a feature of every password-manager, including the OS/browser built-in ones since forever. The thing requesting the password -- (i.e. the browser) is still the ultimately the source of trust. The treat model these things protect against is so narrow, and now narrower since phones have built-in secure storage, that it can't be worth the effort compared to a marketing push for people to use Bitwarden, Lastpass, 1Password, KeypassX, Browsers, or iCloud password saving. And if you really care about accidental logging of plaintext passwords PAKE already has your back.

If we have the political capital to somehow get everyone on-board with changing their flow I really don't see why it should be webauthn. It's ultimately just a key stored somewhere controlled by the client presenting it, but with more red tape, pseudo-drm, and ewaste.

^ If you're in a high-security setting then go for it, but for the masses nah.