The login flows generally seem poorly-written, and we have now increased the complexity of login flows. Are they worth it?

Benefits:

  • They ?require? secure elements. Websites can now know that a subsequent request is coming from the same private key in a secure element (we have a cryptographic ?root of trust? / ?chain of attribution? that connects a given request to a previous one). (Learned from one of Matt Green’s former students.
  • The are pub/privkey auth. Servers only store the pubkey, so can’t be hacked.
  • The are phishing-resistant (they check url bar exactly).

In short, they are hardware-computed credentials that are gated behind your Google/Apple/1password login.