But for the average website, passwordless is confusing for the end user.
I've researched WebAuthn for a web game to see if I could make the login natively and seamless. And it sucked. In Windows, it would prompt a confusing window asking for either an USB key, Windows Hello (So, a PIN or face, and most of people don't have this feature enabled), or to use a QR code. The average user won't know what they should do, so they won't be able to register.
Also, it's really hard to use your account on other devices. Like, if you log in first with a Google phone, then yeah, you'll be able to use your key by scanning a QR when prompted on your computer. But if you log in with a computer first, you won't be able to use your key anywhere else because exporting keys isn't implemented anywhere yet.
I've ended up just implementing Google and Apple OAuth, since WebAuthn requires accounts anyways to store your keys (Microsoft on Windows, Google on Android, Apple on Mac/ios), so why not just log in with them directly?
Because the goal of WebAuthn is to not depend on any companies infrastructure.
And there's work being done in that direction. Apple supports passkeys from third-party password managers, 1Password has a Passkey beta and KeePassXC has a pull request working on passkey support. [0]
That independence is a design goal of passkeys, because they want to replace passwords and passwords are independent by their nature.
But for the average website, passwordless is confusing for the end user.
I've researched WebAuthn for a web game to see if I could make the login natively and seamless. And it sucked. In Windows, it would prompt a confusing window asking for either an USB key, Windows Hello (So, a PIN or face, and most of people don't have this feature enabled), or to use a QR code. The average user won't know what they should do, so they won't be able to register.
Also, it's really hard to use your account on other devices. Like, if you log in first with a Google phone, then yeah, you'll be able to use your key by scanning a QR when prompted on your computer. But if you log in with a computer first, you won't be able to use your key anywhere else because exporting keys isn't implemented anywhere yet.
I've ended up just implementing Google and Apple OAuth, since WebAuthn requires accounts anyways to store your keys (Microsoft on Windows, Google on Android, Apple on Mac/ios), so why not just log in with them directly?