[dyml]

Please don’t use WebAuthn on every page load.

Two reasons: the protocol is not designed to do this - and the UI/UX is not designed to support this. There are better ways.

2) it will likely not work. There are virtual/software authenticatators (available in dev tools) that could generate a valid response without a human.

[jeroenhd]

FWIW using WebAuthn to start a session, set up a cookie, and validating that cookie to get access seems like a pretty usable pattern. Not much more invasive than the "checking your connection" screen Cloudflare likes to throw.