[woodruffw]

> Users don't want to enroll devices they want to log in with face/touch ID. The webauthn UX is broken and needs to be revamped so that users can choose a not technically perfect but still effective and better than passwords security posture where they reuse a soft webauthn key across devices.

I'm not sure I understand the problem here. WebAuthn is entirely agnostic about the physical factor: it can be a hardware key, a software implementation, TouchID/FaceID, or anything else. You can already use TouchID and FaceID on sites that use WebAuthn, and the UX is perfectly fine. You still have to enroll the device, but that's no different from the Face/TouchID UX in any other authentication context.

[dcow]

The problem is device enrollment. I am saying users want to use FaceID to log in like they currently use a password. They don't want to enroll devices with a service. Browsers don’t support software webauthn so the fact that it can happen is kinda moot. The existing browser-controlled implementation of the UX is what I’m complaining about. There’s this assumption in the security community that users need hardware backed crypto and soft keys with an agent in-between aren’t acceptable. I’m saying for most all users a soft-key setup backed by hardware primitives works just fine and is better than password auth but lamenting that it’s unlikely we’ll see support it because of platform control under the guise of better security.

Think of it this way, users would be better off with ssh style login instead of passwords but the “industry” seems to have skipped that step for consumers and gone straight to hardware keys.