According to Mozilla's docs & that issue, it seems like WebAuthn considers the UA and the "authenticator" different. The authenticator, here, is a hardware device, either a separate security key or a TPM. But that really means that the hardware the keys are on is a SPoF, and it shows in the comments in the Github issue.

The thread seems to resolve this with "every RP should allow the user to add more authenticators"; this is, to me, something that's not going to work:

1. asking a user to buy two phones, TPMs, or hardware security keys isn't going to happen, realistically, and the consequence of it can't be "the user is locked out of their account"

2. even if I do 1, I need to do the "add a second authenticator" flow for my backup authenticator each time I register an account. In the event that I do have an authenticator become compromised, or simply just succumb to hardware failure (what's the warranty on a modern phone?) I need to do an O(accounts) operation to migrate to a new authenticator?

3. OIDC has taught me that RPs don't get this. I think StackOverflow is the only site I've seen correctly separate "account on the RP" from "auth from OP used to login" into a one-to-many relationship. I doubt RPs will get it right for WebAuthn, but we'll see.

… I should note that MFAs share some of these problems too. I used Google Authenticator for an MFA, and then my phone reached the end of its useful life, after a short 9 years. Turns out: there's no way to migrate Google Authenticator's data to a new device! Thankfully, in my case, I was retiring the device, and it wasn't completely dead, so I could still use it, and thus, migrate the accounts. And it was an O(accounts) operation. ("Thankfully" (/s), many of my "2FA" accounts were using SMS, so there wasn't too much to migrate from Google Auth.)

At least with a password manager, I can back up & move the managed passwords to another device. (Though to be clear, OIDC > each site has its own password, to me.)