1. If I can fully physically own some of my authenticators. Aka if Yubikeys or similar hardware tokens are supported, so I don't have to long-term trust any corporation to correctly and securely store my credentials - with Yubikeys the only trust is that hardware is free of vulnerabilities or backdoors.
2. If I'm guaranteed to be not bound to any single specific authenticator. Aka if I'm safe if I lose a Yubikey, assuming that I've prepared ahead of time (also see the next point).
3. If I can enroll an authenticator without having it physically present. Aka if I can sign up with one Yubikey and then tell the website "here is my phone, here's the public key of the Yubikey I keep in a safe, and here's a public key of a keypair I've generated on an airgapped machine, etched onto a titanium plate and buried in a secret stash, accept those for me as my alternative authenticators even though I don't have my private keys present". Aka if I don't have to run around the house (or worse) to just sign up for a website.
4. If I'm guaranteed to be able to use a software authenticator of my own development, shall I want it (despite whatever site owners may think of it). Aka if there are no attestation requirements that force me to use authenticators I don't trust.
If it's "yes" to all four, then I'm in and advertising this to everyone I know about, because this is much better than a password manager. If 1, 2 and 4 are "yes" then I'm probably in with a mix of one HSM and one software authenticator with exportable private keys (so I have a guaranteed way out), but voicing my displeasure wherever I can as the system is inconvenient. If not, then I'm probably sticking with passwords for the time being.
1, 2, and 4) Yes, that's already possible. Look into Solo Keys for open source hardware and firmware. The standard allows for key manufacturer attestation but seems like the way it is going (especially with the proliferation of software authenticators) it likely won't be relevant in practice. You can also enroll many authenticators to the same account (provided the service allows it, which most do).
3) This is pretty hard/impossible, I think. The authenticators don't use the same key-pair for all websites (a la SSH through Yubikey), but rather create a per-service, per-credential key-pair, and encrypt it with the main key-pair. The encrypted credential key-pair is then handed off to the server for storage, and the service sends it back for the authenticator to decrypt and use during a challenge. Clever trick to not depend on local hardware memory and be able to have unlimited per-credential key-pairs, but afaik prevents you from just "adding lists of public keys".
I'm also not mentioning the resident keys aspect of the standard but that won't fix it as they're still service and credential based.
A simple proof of possession (pop), signed ahead of time, solves #3.
The message:
`{"pay":{"alg":"ES256","msg":"I own this key","tmb":"9PcBWntvjAktwfiPp8WxgOyQOwc1h6Lo1UnB_gkWXKk"},"sig":"eXuV0_HYCM-WnS2CbOnGXdce-9M8AzivCw23Hihtp1h69Ix6HwWCA79FR6cs3Nym2bWJoKajtnIY0xcTnuRnNQ"}`
The public key:
`{"alg":"ES256","kid":"Zami Mobile 2","x":"PZpmb3CI_2LTWcxopqjliqohPpmxFmNwKLb52wJgMg-4Xd0hTRKn7OruUMa3LvHmuTA9pHidocLHnEdOcQ04OA","tmb":"9PcBWntvjAktwfiPp8WxgOyQOwc1h6Lo1UnB_gkWXKk"}`
1. If I can fully physically own some of my authenticators. Aka if Yubikeys or similar hardware tokens are supported, so I don't have to long-term trust any corporation to correctly and securely store my credentials - with Yubikeys the only trust is that hardware is free of vulnerabilities or backdoors.
2. If I'm guaranteed to be not bound to any single specific authenticator. Aka if I'm safe if I lose a Yubikey, assuming that I've prepared ahead of time (also see the next point).
3. If I can enroll an authenticator without having it physically present. Aka if I can sign up with one Yubikey and then tell the website "here is my phone, here's the public key of the Yubikey I keep in a safe, and here's a public key of a keypair I've generated on an airgapped machine, etched onto a titanium plate and buried in a secret stash, accept those for me as my alternative authenticators even though I don't have my private keys present". Aka if I don't have to run around the house (or worse) to just sign up for a website.
4. If I'm guaranteed to be able to use a software authenticator of my own development, shall I want it (despite whatever site owners may think of it). Aka if there are no attestation requirements that force me to use authenticators I don't trust.
If it's "yes" to all four, then I'm in and advertising this to everyone I know about, because this is much better than a password manager. If 1, 2 and 4 are "yes" then I'm probably in with a mix of one HSM and one software authenticator with exportable private keys (so I have a guaranteed way out), but voicing my displeasure wherever I can as the system is inconvenient. If not, then I'm probably sticking with passwords for the time being.