That said, I understand why *they* would be enthusiastic to move people to authentication methods rooted in their hardware that make you (and other vendors that integrate with it) dependent on them for authentication.
@kyle I'm guessing the companies prefer these other two factor approaches over an OpenPGP smart card precisely because the latter allows user-controlled keys?
@twrightsman They don't trust the user. They do trust the hardware *now* because they can control it remotely, can prevent unauthorized software from running. Combined with their keys inside the secure element, the user just provides minimal in-person proof it's them (biometrics) while hardware does the heavy lifting for trust.
@kyle Both agree and not agree with you. Hardware based authentication mechanisms do have advantages and there are many open source (both software and hardware) projects out there that are FIDO2 compliant. So there is a way to go password-less without the need to buy into their hardware.
@ullgren It sounds like we agree. I like and appreciate methods like FIDO2 and think there is a place for all three kinds of factors in combinations dependent upon threat. What I am opposed to is completely eliminating one of the factors, especially when it's one that gives more control to the individual.