Arguing SMS is better than TOTP is like arguing IE7 is better than IE6. Sure, but both are so far from being anywhere near a reasonable solution today I cannot understand why people make an argument like this seriously.
Everyone has a webauthn capable device, if not multiple, right now.
The only reason phishing is still a thing is because people keep implementing and defending phishable 2FA methods.
iPhones have only just gotten support for acting as Bluetooth authenticators, and from what I can tell, Android devices have only had it for a year or so. So we only now seem to be at the point where most people would have a device they could use as a WebAuthn authenticator across multiple devices, making it only now a viable replacement for TOTP for most people (without buying a hardware authenticator). I don't see anything shameful about still supporting what was until recently the best option for most people.
(Personally, I'll be waiting until 1Password gets WebAuthn support before moving to it from TOTP.)
People can also use software browser-plugin authenticators, or software solutions provided by their operating systems. Even software anchored webauthn still stops far more threats than TOTP or SMS. That said few would need that fallback as TouchID or Chromebook authenticators or Windows Hello all work great too.
1Password is a centralized and proprietary database system that leaks all secrets to system memory every time you use one. Why would you want that to manage webauthn secrets for you? You just tap your webauthn device when prompted. No third party control required.
And if I need to sign in on another device, I can't use that platform authenticator, as it's tied to that device. So I'd have to either have another WebAuthn authenticator, or use a fallback method like TOTP or SMS, which defeats the whole point of using only WebAuthn. And most people won't go and buy a hardware authenticator. So like I said, WebAuthn is only now just starting to become viable for the average person to use instead if TOTP.
You simply add each device you want to login with as a trusted device. Most services allow you to add as many devices as you want. I do not understand why this is a adoption barrier.
And then if you get a new device, you have to somehow log in on that new device (with either backup codes, enabling TOTP or SMS 2FA temporarily, etc), and add the new device as an authenticator. And repeat that across every service. Same for new/existing accounts, people don't want to have to add every device to every service they use. Not being able to use your WebAuthn authenticator on other devices is an adoption barrier (as is the alternative of buying a hardware authenticator).
Hi. Concerning 1Password and leaking to system memory… What about the others like Bitwarden/Vaultwarden or KeePass and Strongboxsafe? Aren’t they doing the same?
Any password manager would need to decrypt passwords in order to use them, and that has to be done in system memory. And short of using something like a TPM or Secure Enclave, or asking for the master password each time, the decryption keys have to be in memory as well. You're always going to be subject to the security of the OS you're running on as to who can read your process's memory.
Everyone has a webauthn capable device, if not multiple, right now.
The only reason phishing is still a thing is because people keep implementing and defending phishable 2FA methods.