[dcow]

It kinda feels like you’re deliberately talking around my point. I’m not saying existing VPNs use PAKEs and it makes them bad. I’m saying you don't need a PAKE to have “modern” authentication. And look at wireguard which is loved for being a dead simple protocol that uses raw keypairs. Therefor it’s not absurd to imagine a very simple protocol like this.

You are correct that client certs have user agent support. Honestly it’s a pretty poor UX though. Have you actually tried building a consumer application that uses client certs in the browser? Good luck getting users to install client certs. Client certs work fine everywhere else where you can run bespoke client software (native apps) except for the part where they authenticate the connection and not the request, but that’s not the point either.

Anyway it’s great that other implementations of webauthn exist. But like I just said for client certs: outside of the browser anyone can do anything so webauthn is not a game changer there (not to downplay it). Where WebAuthn matters is for client authentication in the browser and in that arena it is locked down to platform auth and hardware device auth mechanisms. There is no way users could benefit from webauthn right now without the browser-supplied UX.

All I’m saying is that WebAuthn would be way more viable in the way people are asking for in this thread if for example browsers/platforms allowed extensions to participate as a soft WebAuthn agent so that users could choose their preferred WebAuthn backend and UX instead of the browser supplied options. The browser client cert UX sucks and so does browser vendor WebAuthn and I think their adoption story is all the proof you need.