I went this route. I really like the design of Google's Identity-Aware Proxy. You host your apps behind it, the proxy authenticates users and passes a JWT to the application that contains additional metadata. The app can choose to care or not care about the JWT. This is nice for read-only things that aren't particularly important (something like jaeger-ui). Or the app can choose to care, and do one cryptographic operation to get a trustworthy username and group membership list. This is so much easier from an operations and implementation perspective than integrating something like OIDC. I wish more applications supported this, and didn't force me to hack OIDC into this flow.
As for WebAuthn, yes, that's what you should be using these days. People are terrible at choosing passwords, so why make them?
I wrote an authenticating proxy that maintains username -> WebAuthn credentials, and use it for my personal projects. I wouldn't recommend that someone else use it (incomplete featureset, not security reviewed), but it's totally open source so you can steal the bits you like: https://github.com/jrockway/jsso2
The end result is that I can open up Grafana on my phone and sign in with FaceID. Or if my face falls off, I can scan my YubiKey with NFC. All given to you for free for using WebAuthn. And it costs $0/month, which is much less than the Oktas of the world charge for a more
My desktop doesn't have a webauthn capable secure backing so I'd have to fake one. Maybe the TPM in it can work for that, but I haven't seen browsers leverage that opportunity yet.
This means that unlike my phone, my desktop always requires some annoying fallback. For U2F I've configured Krypt, which uses my phone as a U2F key, but that doesn't work for webauthn (yet?).
This means I'm always filling in password forms for services that also offer webauthn as an option, at least when logging in from my desktop.
The fact I need to go through some form of recovery process to register a device for every browser I use (and, in case of temporary logins on borrowed devices, removing the session again) is also rather annoying.
Then there's the fact that webauthn is only a single factor, and there are real benefits to 2FA. Stolen/mirrored phones at airports of oppressive regimes are a credible threat depending on the business you're serving, so it's essential to have a 2FA option in some form. As webauthn is the "something you have" part of the traditional factors, that means you're either supposed to implement biometrics or some kind of password as a second factor. At that point webauthn is practically U2F with a built in username.
There are also certifications they require your company to use 2FA regardless of the level of security your IT team thinks it needs. You can probably explain away the need for 2FA but I don't think the legal/compliance people in your company will be happy with you if you make them try that.
I'm all for webauthn, but "just use webauthn" isn't a generic fix. It's great for simple services like chat apps, forums, things like HN, you name it, but for business logins there are often requirements that take away a lot of the benefits to the system.
As for WebAuthn, yes, that's what you should be using these days. People are terrible at choosing passwords, so why make them?
I wrote an authenticating proxy that maintains username -> WebAuthn credentials, and use it for my personal projects. I wouldn't recommend that someone else use it (incomplete featureset, not security reviewed), but it's totally open source so you can steal the bits you like: https://github.com/jrockway/jsso2
The end result is that I can open up Grafana on my phone and sign in with FaceID. Or if my face falls off, I can scan my YubiKey with NFC. All given to you for free for using WebAuthn. And it costs $0/month, which is much less than the Oktas of the world charge for a more