(Edited and removed) Let's start with the basics, many applications do not support webauthn, full stop. Even shops who roll it out are forced to keep holes open for business critical applications that don't support it. Security is not easy, and the entire field is not negligent - the problem is massively asymmetrically stacked against security practitioners, enhanced by poisonous attitudes like the ones expressed here.
An underlying issue is that Microsoft Active Directory does not support MFA of any kind at all. That's why third party PAM vendors exist, but they don't really change the fact that you the most widely deployed authentication service in business is effectively run by password hashes. That's the whole reason we so commonly see the "mimikatz scraped a hash from RAM and it was all over" write up in incidents.
Smartcards exist, but their use is clunky in practice (I'm aware Yubikeys may now function this way). For everything else, Microsoft's current MFA solution is "just use the cloud".
> Security is not easy, and the entire field is not negligent - the problem is massively asymmetrically stacked against security practitioners, enhanced by poisonous attitudes like the ones expressed here.
Is remaining in a role in which it's not possible to be effective negligent?
I don't have a specific alternative, but I think that if it's not possible to be effective in a role, one should decline it. It's possible to be an effective SWE while still writing (and hopefully also sometimes fixing) bugs.
