As someone who’s followed and kept up with browser security for 15 yrs (CORS, CSP, all the security headers, TLS changes) and even the early U2F stuff - passkeys and this webauthn stuff is approaching too-complex territory for me. Maybe I am just jaded by now, but I don’t feel the same about other changes. Like the new Sanitizer APIs are easy to understand and advocate for.