Sure, ideally we can decouple the provider implementation and use a yubikey-type device if we want, or let the OS Secure Enclave handle it for the 99% of users that don’t care.
The main point is it should be a protocol from the PoV of the consuming site, rather than a cop-out requirement enacted on the easiest place to legislate.
The main point is it should be a protocol from the PoV of the consuming site, rather than a cop-out requirement enacted on the easiest place to legislate.