@whophd @siracusa the binary encoding stuff will get easier for sure, but for small projects, i think storing binary data (the spki) in your db will remain a bigger hurdle than “just saving passwords” and correctly passing around a challenge/response blob takes more to get right. that said, all the underlying tech is pretty stable, webauthn/fido has been relatively stable for >5 years but i don’t think i’ve seen particularly lean implementations for small sites. in js, i think passport-fido2-webauthn would probably be the closest but even it feels pretty heavyweight.
the bigger hurdles i think are that you generally need to allow for > 1 passkeys per acct, you should tie your passkeys’ RPID to some actually stable domain name, you need to have csrf-style challenges that you attach to auth requests, and if you’re doing it right you need to actually validate those last two. lastly, you also probably need to have some recovery system that looks a lot like one-time passwords or email recovery. none of these are “hard” but they add up to lot more effort and cognitive burden than “throw a password column on the user table” which i think is probably why we haven’t seen a ton of 2fa implementations on small website even though the mechanisms like fido or totp are widely available and reasonably well abstracted nowadays.