I went and read a little on the Web Authentication spec[1].<p>I have a laptop, a smartphone and a tablet. Their 'use cases' section seem to imply that once I register with a site using this new auth system, I <i>have</i> to use the same device to authorise any future login attempts - either on the same device, or on another device over USB/NFC/BLE.<p>So, if I register on my laptop, basically fuck any chance of being able to make use of the site on my phone/tablet when I'm away from my desk.<p>If I register on my phone, that means I then have to have my phone on and with me to authenticate.<p>If I lose/wipe/upgrade my phone, I guess I'm just fucked.<p>Some might argue the second is the same for 2FA, but that is not the case. The (T|H)OTP spec says nothing about what can be done with the secret that is provided, from which OTP's are generated. Consequently, I can keep a (encrypted) copy of my 2FA config, and even sync it between mobile devices, so as long as I have access to either my tablet or my phone, or a replacement for one of those that I sync the 2FA app db to, I can generate any required 2FA OTP.<p>If the spec doesn't allow for a user to manage the private key how they see fit (e.g. syncing to other devices they own, and/or to off-device storage) this is honestly worse than the current situation.<p>[1] <a href="http://w3c.github.io/webauthn/" rel="nofollow">http://w3c.github.io/webauthn/</a>