[TomatoDash]

A bit of a tangent but do you have a view on prices for hardware security keys like YubiKey? For private use they're a pricey option, especially if you get a few backup keys. Could a big actor like Google, if they wanted, scale up production, sell at cost and get prices down to say $2 each? Or is the components and manufacturing inherently more costly? Is there anything on the horizon that likely will bring much lower prices?

[arccy]

This is why they're pushing passkeys in phones' secure element with cloud account sync: getting people to keep a separate set of hardware keys is nigh impossible at scale.

[lxgr]

Sure, but why not preserve the option for people to use hardware keys?

Unfortunately, both the FIDO and WebAuthN working groups seem to be dead-set on making the hardware authenticator use case as painful as possible [1] [2] [3].

I just don't get it. Why even try to pretend that WebAuthN is a single API for both use cases when all stakeholders in charge seem to have given up on one of them?

[1] https://github.com/fido-alliance/how-to-fido/issues/16

[2] https://github.com/w3c/webauthn/issues/1612

[3] https://github.com/w3c/webauthn/issues/1822

[lxgr]

There is actually a path to $2 keys:

Most modern smartphones support contactless smartcards (a.k.a. "NFC"), which can be used as FIDO credentials. It should be possible to produce these for around $2 at scale.

They wouldn't work at computers, unfortunately (not even with an adapter, since desktop browsers and OSes don't expect to speak FIDO-over-ISO-7816-over-CTAP-over-USB), but with QR-based cross-platform flows now part of the specs, phones could pretty straightforwardly serve as readers for other devices.

If large issuers of ISO-based smart cards (e.g. banks or government authorities for biometric ID cards and passports) could be convinced to just throw a FIDO implementation on there (there's open-source ones available!), people could even use the cards they already own.

[crote]

Yubikey used to sell a simple Webauthn-only key for $10-$15. USB-only, no NFC or anything. It was blue instead of the standard black. That one was essentially killed when Passkeys became popular, because it didn't support resident keys. I believe some companies (Google? Github?) were giving them away for free.

Its replacement is $25, which is expensive enough to be an issue for poor people.

[ptman]

Affordable option: https://www.token2.com/shop/product/fido-bundle-2-x-fido2-us...

[TomatoDash]

Thanks, I'll look into that product. Less costly, but still far from the $2 scenario. If hardware keys got to a super low price point, or even handed out for free or bundled with new phones or PCs, I image lots of people would prefer them over passkeys.

[maxcoder4]

I am a yubikey user, but they are a terrible option for a normal person. Losing a hardware key means being locked out from all your accounts for real, and if cryptography taught me one thing it's that people are not responsible enough to manage their own keys (keep a backup key up to date, print recovery codes, etc)