“…Like U2F, it supports hardware authentication devices as a second-factor, however, most importantly, it also supports them as a single-factor for passwordless authentication. Considering the institutions backing FIDO2, this new standard has been presented in the media as a "password-killer" [4], [5], [6], [7]. Also from an academic point of view, using the framework by Bonneau et al [1] (as we explain in Section II), FIDO2 seems like a promising candidate for succeeding textbased passwords as the incumbent end-user authentication scheme: it provides credentials that cannot be phished, replayed, nor are they subject to server breaches; being an open web authentication standard (WebAuthn), it is supported by virtually all browsers, and native implementations, like on Android and Windows, exist and more are forthcoming; it can provide a consistent user experience; and it supports various authenticator devices, including security keys, like the ones from Yubico or Feitian, but also integrated authenticators commonly available on end-user devices, like Trusted Platform Modules, Android keystore, or Apple TouchID.…”