[dwaite]

Typically for web authentication the websites rely on the browsers which by default will back into the platform.

But any level of that may take responsibility - for instance, 1Password and Dashlane replace the browser/platform support by default by altering the implementation of the javascript API via their Web Extensions.

There are ramifications to this approach, such as having to fall back to the browser/platform UX to support hardware security keyfobs.

The platforms (and browsers using their API) also support or plan to support a cross-device option, where you should be able authenticate within a desktop browser using your cellphone via QR code and radio proximity checks. The vision is that some websites will see that the location browser _could_ have supported authentication directly, and offer to help the user register it as a second (more convenient) option.