WebAuthn is an UX improvement as well as a security improvement. I sympathize with your point, but in this case it’s easily sellable as the cure to the rest of your list … unless you somehow lose your key.
Not a UX improvement. Most users need a yubikey for the computer unless they have a new Mac. Asking my 65 year old dad to keep up with a yubikey is not just bad UX, it's failing UX. It simply will not happen.
I don't even think it's realistic to get him to use a smartphone for this, he hates the things.
WebAuthn works great for your Web 3.0 startup but as soon as you're talking about the average user, who is likely decades older than the commenters here, and far less interested in keeping up with these things, and far less patient with the hassles... asking them to carry hardware is a nonstarter for so many.
I thought Windows machines just used the TPM to store WebAuthN keys? No yubikey necessary. Just a click on some popup dialog to select your credential for login.
Windows has a service called "Windows Hello" which can work with WebAuthn (otherwise it's hardware keys). It requires your computer to have various biometric or camera technology built in, such as a finger print scanner. I'm sure windows laptops are more equipped for this, but desktops obviously are not, and I'm certainly not advising folks to leave some insecure cheap imported webcam hooked up 24/7 "for security purposes".
I don't know anyone using "Hello" but I suppose it's an option. Most Windows users would likely have to use a hardware key though.
I would be weary of using this, I have been using Windows since Windows 95 and seen enough things go wrong that I wouldn't want to be locked out of my online accounts. For example one thing I noticed is that by simply updating my BIOS in Windows 11 causes havoc and everything gets signed out. A cross-platform hardware token sounds more appealing to me. I could see Hello being something to secure corporate laptops/accounts in an enterprise environment though.
>For example one thing I noticed is that by simply updating my BIOS in Windows 11 causes havoc and everything gets signed out.
That's surprising. As in, the fact that that happens is to be expected from the firmware's point of view - updating the firmware changes the measurements made to the TPM so any secrets can no longer be unlocked. But I would've expected Windows to update the expected measurements before applying the update to prevent that from happening.
