(no title)

The worst offender is (of course!) Google. In Chrome they bend the interface as much as they could to lure people into using Android as a key holder (and to sync it later on) even when platform authentication is available. Apple was very unfriendly by making their WebAuthn API private, so Safari used Keychain, Chrome did not have access to it (and forced Android) and Firefox only could use Yubikeys.

And now password managers are jumping into this, so when a user tries to enroll the device in a browser with password manager extension (looking at you, Bitwarden) on a platform with software authenticators good luck finding the right combination of clicks to choose Yubikey.

Enshittification of FIDO auth happened unbelievably fast.