[justsomeadvice0]

> And also the "minor" thing that having only one strong authenticator makes it super-easy to lose own data just in case the authenticator breaks etc.

This is why I mentioned "esp with synced passkeys".

WebAuthn can use - but does not necessarily require - hardware-backed keys. iCloud passkeys are an example of an implementation of "soft" keys that are both transparently backed up and synced across the user's devices. Their interfaces are designed to make them difficult to leak (I'd imagine you'd need root+SIP turned off, or a really good OS bug), but are to my knowledge resident in device memory. This is tradeoff for usability. Grandma is never going to be able to use yubikeys to log into things, let alone set one up.