Several years ago I had the opportunity to sit on the FIDO Alliance Board. While there we debated the future of authentication and commissioned the work to develop FIDO 2. I walked away from that experienced convinced that multi-factor authentication should and now could replace the insecure use of passwords without a second factor like the use of our secure thing [device, card, or dongle], or our unique biometric(s).
Recent my colleague Jeff and I have been trying to understand how the various enhancements to Webauthn, FIDO 2, and CTAP will allow users to use multiple devices without having to register each device with its unique public private key pair.
As a result of our conversations and research, it is clear a single provider such as Apple can within their proprietary environment enable the ability to access a Relying Party RP from multiple devices with each challenge authenticated with one Public Key.
Concepts like Keychains and the use of secure chains enabled via BLE, Cable or QR code are clear. Ideas like Signed Assertions often appear as tools capable of proving the device knows of the existence of the Private Key resident in the secure element of one of the user’s devices.
the FIDO alliance is focused on solving these challenges