Not really a problem for me - I keep a set of six CTAP2 keys registered on everything with careful labelling etc.
But for normal people, we do need to get more of the balance into the usability side I think. The thing with iCloud Keychain is it can comfortably be recovered without breaking the end-to-end encryption with only a single remaining device, and many Apple users have as many as 3-4 devices in the circle of trust
It seems ideally some kind of "roaming platform" additional option would be good in the webauthn standard
I agree, but it sounds like we’re trying to get the web browser to simplify and implement OAuth2 and OpenID Connect via WebAuthn ... If we already have OpenID Connect, the only advantage to end users under that scenario is a login-with-Apple ease-of-use improvement. Seems more likely that we’ll continue using OAuth2 and OIDC server side for this, for now... but maybe we’ll end up standardizing the ways MFA is requested and presented by providers...
But for normal people, we do need to get more of the balance into the usability side I think. The thing with iCloud Keychain is it can comfortably be recovered without breaking the end-to-end encryption with only a single remaining device, and many Apple users have as many as 3-4 devices in the circle of trust
It seems ideally some kind of "roaming platform" additional option would be good in the webauthn standard