In addition to FIDO2, you can add java applet for OpenPGP (also open source), TOTP (https://github.com/JavaCardOS/Oath-Applet) and PIV/smartcard (open source as well). I tell you more - there are tons of JavaCardOS compatible applets available on github etc.
There are systems supporting WebAuthn as the primary method, such as Gmail or M365. The systems requiring OTP or SMS as a backup are just examples of bad security design. Still, even if you have OTP as a backup, and FIDO2 as primary - it reduced phishing attack surface to a certain extent
Factory-programmed ones are for systems supporting secret key import, i.e. Microsoft Entra ID . It is not for replacing your Authenticator apps (although based on the same algorithm, TOTP).
I don't think discoverable credentials on hardware authenticators are a good default pattern (even though requiring(!) resident/discoverable keys is the suggested behavior [2] by the FIDO alliance!?)
They have their uses for special use cases for authentication against local or otherwise non-synchronized relying parties or as a component of authentication protocols that aren't a good fit for native WebaAuthN (like SSH), but a regular old website can just ask me for my user ID (which is my email address in 99% of all cases).
Unfortunately, there isn't [1] a way to say (in WebAuthN API terms) something like "give me a discoverable credential if you have unlimited storage, otherwise nevermind", so as far as I understand, a relying party can only say "preferred" (taking up a scarce slot on a HW authenticator) or "discouraged" (making a platform credential non-discoverable needlessly, except on platforms that ignore that flag anyway like Apple/iCloud Keychain).
As an aside, that issue [1] having been closed without any accomodation for that use case fits with my anecdotal observation of the WebAuthN working group having largely pivoted towards the "Passkey paradigm". Hardware authenticators somehow don't feel like a first-class API concern anymore.
I'm kinda hoping Yubi come out with a version 6 with many more "passkey" CTAP2 slots too. Because I don't only use FIDO functionality but I heavily use the OpenPGP slots as well. Not for email but for other things (file encryption, password manager, SSH). Not planning to change any of that to fido any time soon either.
Yeah, but without resident keys you’ll have to carry a file containing the key handle around with you from computer to computer (where you want to use the Yubikey-resident SSH key). And if you ever lose the file, your key is lost too!
This is because SSH doesn’t have a centralized RP model that’s kind of implied in FIDO and WebAuthN for non-resident keys.
In case anyone is looking for a desktop app to replace Authy, the authy-migration tool from token2 supports exporting TOTP seeds in WinAuth compatible format (use .wa.txt for export file name). Then in WinAuth (https://winauth.github.io/winauth/index.html) , just import that file.
