[solardev]

What about for software implementations like 1Password and Bitwarden?

[voxic11]

They can't fake the attestation from hardware implementations so you could just reject keys from software implementations.

[ranger_danger]

Wouldn't companies/bots/etc. still just get around this by buying many such hardware devices and automating their usage instead?

[ale42]

So what about users that don't have any such hardware?

[tzs]

Use a CAPTCHA?

[ale42]

Yes of course, but I hope this is part of the plan. Too often new technologies seem to leave some people apart, because the deciders don't think (or don't want to think) about those who don't want to (or can't) embrace a specific technology.

[wkat4242]

Yeah but that breaks real usecases from real users.

It's really annoying, PayPal does this too. They only support passkeys in safari or chrome, even though it works just fine with a yubikey in Firefox. They just go out of their way to stop it from working. Really really annoying.

And they also refuse to enroll more than one token even for the basic fido2 mfa.