[throwaway45631]

I understand how users register and login on a device - but it gets complicated when wanting to allow users to couple multiple devices to an account.

Anyone here with recommendations?

Say you registered via smartphone and now want to login on the desktop - do you tell the desktop user to grab his mobile safari, login and pull up some PIN-No which then to type into the desktop client?

And how would people recover accounts if their devices are lost?

I guess technically one can always come up with some solution - but while FIDO gives a unified, cross-device way for users to login and register – it’s the complete opposite when it comes to the aforementioned issues

[sebk]

Microsoft, Google, and Apple recently announced support and commitment for multi-device credentials, which you can share between devices in the same "sync fabric". See some discussion on Hacker News here: https://news.ycombinator.com/item?id=31294316

[Hamuko]

>Say you registered via smartphone and now want to login on the desktop - do you tell the desktop user to grab his mobile safari, login and pull up some PIN-No which then to type into the desktop client?

That's basically how it has to be done, at least for on-device authenticators. Granted, you can replace the PIN code mechanism with some other one, like having the website email you a one-time authentication URL that you can then use to access the website to add your desktop authentication.

If you use a portable authenticator (Yubikey), then you can just use the authenticator on the phone and on the desktop. The ones with NFC will perform the same authentication on mobile and desktop.