From the outside, a lot of this looks like bikeshedding over threat models (personally I don't care for attestation, but I see why that's in there now). Which yes, easily gets coopted into lock-in.
Passwords (aka "shared secrets") are a poor solution for webservice authenticates, & I hope password managers like BitWarden can do away with most of their issues whilst paving the path away from them!
Add comment