[dcow]

The problem is device enrollment. I am saying users want to use FaceID to log in like they currently use a password. They don't want to enroll devices with a service. Browsers don’t support software webauthn so the fact that it can happen is kinda moot. The existing browser-controlled implementation of the UX is what I’m complaining about. There’s this assumption in the security community that users need hardware backed crypto and soft keys with an agent in-between aren’t acceptable. I’m saying for most all users a soft-key setup backed by hardware primitives works just fine and is better than password auth but lamenting that it’s unlikely we’ll see support it because of platform control under the guise of better security.

Think of it this way, users would be better off with ssh style login instead of passwords but the “industry” seems to have skipped that step for consumers and gone straight to hardware keys.