> This sounds like something that creates a chicken-and-egg problem of there not already being any such DTLS-speaking USB devices...
Or only allow completely unauthenticated devices as a fallback when there is no other available authenticated device.
A computer not having any keyboard is a rare case. Most of the time you have what is built-in (and should be authenticated) or what came with the computer (and should be authenticated).
Allowing unauthenticated keyboards only on detection of no authenticated ones probably covers 99.9% of all use cases and increases security dramatically.
Or only allow completely unauthenticated devices as a fallback when there is no other available authenticated device.
A computer not having any keyboard is a rare case. Most of the time you have what is built-in (and should be authenticated) or what came with the computer (and should be authenticated).
Allowing unauthenticated keyboards only on detection of no authenticated ones probably covers 99.9% of all use cases and increases security dramatically.