This makes it possible to implement support for WebAuthn purely in software, making use of a processor's trusted execution environment or a Trusted Platform Module (TPM).
Hell no. Do NOT want. No no no no no, never.
A password is a simple concept. That stuff seems more aligned with incentives to create complexity, and thus increase possibility of things going wrong. Not to mention the overall dystopian nature of it all.
What’s your plan to reduce the number of successful phishing attacks?
Password managers are a perfectly reasonable answer, but they need to hide the text entry field, to make sure everybody actually uses the password manager instead of entering a password by hand.
Unfortunately, we live in the present, not hundreds of years in the future. The fact that it took so long for literacy to take hold seems like an argument against trying to use education as you go-to solution to a problem, since it’s not only slow, but also spreads unevenly and unpredictably.
Also, I resent the comparison between advocating a defensive design, and being opposed to literacy. It’s not as if I’m advocating for locked bootloaders, or anything else that would prevent a determined user from doing whatever they want. I’m arguing that manual password management should not be the obvious default.
"I resent the comparison between advocating a defensive design, and being opposed to literacy."
Perhaps you shouldn't - this is like Conways law, systems tend to mimic the communication systems of their organizations.
When you design a system which encourages a certain philosophy, you create "positive" potential in that direction. By designing and promoting systems which reduce user control, you further the communication model of top down hierarchical control.
Why should I trust Webauthn? What stops it from itself being hacked? People with password managers, no control over authentication, end up less, not more secure. The only way to increase security is modularization - if you don't want phishing attacks to occur, you should isolate the process. You should have more than one password, and you should absolutely not store them all in one place.
There have been several indications in this thread how you can isolate the process, none of them require overly complex, big brotheresque solutions.
Hell no. Do NOT want. No no no no no, never.
A password is a simple concept. That stuff seems more aligned with incentives to create complexity, and thus increase possibility of things going wrong. Not to mention the overall dystopian nature of it all.