From the demo, it looks like WebAuthn "platform" support is restricted to biometrics. This is challenging from an accessibility standpoint as well as just in-general for user experience. Is it possible to add the ability to unlock keys using "anything the device can be unlocked with" here? This seems to be in-line with how WebAuthn platform authenticators are implemented elsewhere (Windows Hello, Android, etc). There doesn't seem to be a security benefit to doing it the way it's currently being done, unless all platform keys are blown away on biometric profile change, which I think will be unfortunate.
<rdar://problem/64783399>
(In reply to Christiaan Brand from comment #0) > From the demo, it looks like WebAuthn "platform" support is restricted to > biometrics. This is challenging from an accessibility standpoint as well as > just in-general for user experience. Is it possible to add the ability to > unlock keys using "anything the device can be unlocked with" here? This > seems to be in-line with how WebAuthn platform authenticators are > implemented elsewhere (Windows Hello, Android, etc). There doesn't seem to > be a security benefit to doing it the way it's currently being done, unless > all platform keys are blown away on biometric profile change, which I think > will be unfortunate. The current implementation does allow fallback to passcode if Touch ID/Face ID fails multiple times in a row. It's an interesting point to offer it directly to users with some forms of accessibility features turned on.
My two cents: I would love to see the Apple Watch added to "anything the device can be unlocked with". We have tried out Apple Watch unlock since it was enabled in Chrome 84 (now in beta), and we think it provides a great user experience. Touch ID works nicely with your hands actually on the Mac keyboard. With your Mac connected to an external monitor and keyboard, it may require more effort, either because the sensor falls out of reach from your position, or because the lid is closed. Because the Apple Watch is always on your hand, it provides a very close, connected and intuitive user experience. Also works great in demos :-)
I think most of the goals of this suggestion have been handled with the new Passkeys initiative.