<i>> For this to work you want to be able to generate a key in hardware (so it can't just be copied elsewhere if the machine is compromised), prove to a remote site that it's generated in hardware (so the remote site isn't confused about what security assertions you're making), and tie use of that key to the user being physically present (which may range from "I touched this object" to "I presented biometric evidence of identity").</i><p>On a practical level I think this attitude has held security back for years.<p>WebAuthn's killer feature is that it stops most phishing cold. Not OAuth phishing, not more exotic approaches that involve e.g. DNS hijacking, but nearly all of what's out there today. And it doesn't need TPMs or attestation or user presence tests for that. Those features are for malware.<p>Shielding the keys from malware is all well and good, but it's a fine line between stealing the keys used to authenticate and stealing the authenticated session or access token after the user logs in. You can stop the malware from authenticating, but not from accessing. Is this really worth the loss in usability?<p>Hopefully passkeys get good enough to finally take WebAuthn mainstream, because it's not likely to happen with hardware. I still have Yubikeys for critical production systems, but a couple years ago I started using a virtual USB driver (or HID gadget on Linux) to do the rest through client code. It's all software, the keys are backed up, and I can easily move between computers.<p>If they'd just started with software half the business world would've adopted this stuff by now.
I can't see how site authentication tied to a single device is a good thing.<p>If I sign up for a service I can never sign into it unless I have that device with me. For some ultra secure things that's a good thing, for day to day shopping, etc, it's so inflexible as to be useless.<p>Again what happens when the device breaks or is lost or stolen?<p>How do I migrate my credentials from Mac to android to windows to Linux to iOS?<p>I'll be sticking with my password manager until I'm unable to use it.
The article does not mention passkeys, but they seem destined to be almost all of WebAuthn usage in the future, now that both Apple and Google support them. External FIDO keys will probably remain a niche solution for those with special security needs. But where does that leave the platform authenticator approach? It’s great that you can store the key on-device, but is it really worth it ti not use passkeys instead?
If you want to do WebAuthn "terribly" on Linux or elsewhere, the virtual-fido tool presents a fake WebAuthn hardware device over USB over IP.<p><a href="https://github.com/bulwarkid/virtual-fido/" rel="nofollow">https://github.com/bulwarkid/virtual-fido/</a>