[brownbat]

> Maybe I'm missing something, but unless this somehow eases the distance between password based authentication and other methods

Spot on.

PKI would be a good endpoint, but adoption is slow, probably because it's a weird leap for a lot of people. So I see this as a transitional step, a methadone for our addiction to passwords, because it could get people used to passwordless logins. It could help people adapt to a service or dongle that handles all their authentication. After that, it's a short hop to have PMs just become "authentication providers," and have them and websites figure out the best backend.

Thanks though, it's a fair point to keep in mind, PKI might even be worth holding up as the ideal in the protocol.