So, I went on the demo website (https://webauthn.io/) to try it with a recent desktop Firefox.
I enter a username, press "Register" and Firefox gives me a prompt to "login [with a security key] and authorize", with only a "Cancel" button. And that's all that happens.
Wait, so I can only use this stuff with a hardware token ? Bummer !
Err... and how is my software token generated? Where is it stored? Can I move it around browsers, e.g. use it with my Mobile Firefox after I generated in on the desktop?
You can use it in production for users who have hardware tokens (and it is used in production by many sites for 2FA). But if you mean you can't _exclusively_ use it in production, then yes that is probably true since not all users will have authenticators (yet).
If you're using windows I think you need to setup a pin or the hello auth method.
Once windows has a quick way to authenticate you it'll offer that when you register
I recently implemented this in a library (https://pypi.org/project/django-webauthin/), and Firefox mobile (at least for me) won't log you in if you're using resident keys. Registering the key works, but not authenticating. It's odd.
I enter a username, press "Register" and Firefox gives me a prompt to "login [with a security key] and authorize", with only a "Cancel" button. And that's all that happens.
Wait, so I can only use this stuff with a hardware token ? Bummer !