[mooreds]

I also don't think that the client certificate solution that is trumpeted at the end (for which I don't blame them, content marketing has to content market) is a great option. From the post:

"The UX and tech for PKI Infrastructure isn’t great, and the client UX sucks."

Guess what, it has for years and years. Deployment is hard. Creating certs at scale for normal users has been available for a long long time, but no one has done that.

I think that a more fruitful approach would be to go the webauthn path, and tie into the browser/OS for support (as mentioned in the article). Boom, deployment solved (https://caniuse.com/?search=webauthn has the list; it's most major browsers on mobile and desktop--the only one missing that I'd love to see add it is FireFox on Android).

Now you need to tie into the application and I don't want to diminish that effort. But many apps use libraries or auth servers, so your surface area for deployment is far smaller.

[codebje]

Having persisted with user authentication X509 for years, I can in fact tell you the UX got _worse_ over time. We wound up sometimes making key pairs and certificates for end users and emailing them because browser enrollment is so shonky.