> FIDO2 is built on the same security and privacy features of FIDO U2F: strong public key cryptography, no drivers or client software and one key for unlimited account access with no shared secrets.
They should've kept all the Microsoft stuff out of the post, other than just mentioning that they've been working on the spec together. The Azure stuff seems to have confused everyone about how this actually works.
There are also other app-based ways to login to websites with public key crypto, such as https://www.grc.com/sqrl/sqrl.htm, or https://www.civic.com/. But of course they are less secure than the hardware/Yubikey version, for the same reason Yubikey U2F tokens are more secure than Google Authenticator for 2FA (well, unless companies act stupid and enable "SMS backup" alongside Yubikey support, in which case it's even less secure than Google Auth-only as an option).
It looks like there's a W3C draft "in the works" but I'm concerned since almost half the editors work for the two companies trying to pass this proprietary Azure/AD vendor lock-in nonsense.
You may be comforted by the fact that the top three people on the Github contributor graph[1] are not from those two companies. I've skimmed some of the published meeting minutes[2], and JCJ (Mozilla) and JeffH (Paypal) seem to be highly involved.
The browser UI is terrible and there's been very little incentive to improve it. The largest user of client-side crypto that I'm aware of is the US DoD with the Common Access Card program, and they just train people on how to use the crappy UI.
> The browser UI is terrible and there's been very little incentive to improve it.
It seems like a chicken and egg problem. There's very little incentive to improve it because practically no one uses it. And no one uses it because it's a bad user experience.
But I would prefer it over using a Yubikey because, IMO, the private key should be associated with a machine, rather than a person. That is, if one of my devices is stolen or compromised, I can use another one of my devices to revoke the stolen/compromised device's access.
Beyond what the other comments mention... there's also the fact that most home users only use a single browser, and user account for everyone in the family.
