This is why they're pushing passkeys in phones' secure element with cloud account sync: getting people to keep a separate set of hardware keys is nigh impossible at scale.
Sure, but why not preserve the option for people to use hardware keys?
Unfortunately, both the FIDO and WebAuthN working groups seem to be dead-set on making the hardware authenticator use case as painful as possible [1] [2] [3].
I just don't get it. Why even try to pretend that WebAuthN is a single API for both use cases when all stakeholders in charge seem to have given up on one of them?
Unfortunately, both the FIDO and WebAuthN working groups seem to be dead-set on making the hardware authenticator use case as painful as possible [1] [2] [3].
I just don't get it. Why even try to pretend that WebAuthN is a single API for both use cases when all stakeholders in charge seem to have given up on one of them?
[1] https://github.com/fido-alliance/how-to-fido/issues/16
[2] https://github.com/w3c/webauthn/issues/1612
[3] https://github.com/w3c/webauthn/issues/1822