[eddythompson80]

I disagree. WebAuthen has been conflated with USB/NFC hardware keys, while that’s technically not correct, I have found plenty of non-technical people to fully “get it”. “I don’t have to have a super complicated password because this YubiKey stores an un-hackable password for me” is the sentiment I’ve heard.

Previous attempts at replacing passwords were all nonsense. They were all about replacing symmetric keys with asymmetric keys, which to anyone who doesn’t understand the difference, it makes no sense. I mean even if you understand the difference it hardly makes any difference in usability. I still have to manage my private key and secure it myself. the only usability difference is that I don’t have to transmit it, which is not even something that I do, it’s something that whatever software I’m using does.

With a hardware key, it makes intuitive sense. Sure, maybe the distinction between a TPM, Secure Enclave, Knox, Titan or a YubiKey is hard for non-technical people to understand or reason about, but luckily for WebAuthn simple external hardware keys are becoming a norm. I have seen many completely non-tech companies adopt YubiKeys which I was delighted to see .

[megous]

Not sure what you're on about... If you want to prove possession of some secret you have to be the only one possessing it. That doesn't work with shared (ie symmetric) keys. Also symmetric keys are not the most used method for auth anyway. Almost anyone uses trapdoor functions for that, to avoid password leaks. Sounds like a straw man argument.

Hardware keys are all about asymmetric cryptography, and are just basically another way to store keys. You still have to manage those keys. It's just way harder, because now it's a physical thing that's much harder to backup/copy by design.