Webauthn supports authentication or multi factor authentication with either hardware keys or authentication features that are built into the device used (Windows Hello, Android with a Fingerprint, ...).
Given the case that a user registered with a device bound key that can't be used to access the account on a different device and the user does not own a portable key that can be used on all of his devices: How can the user add a second device bound key to his account?
The only idea that came to my mind was to allow registering a new key during login if the user authenticates this in a special dialogue on an authenticated device. However this might open the door to phishing attacks where an attacker (who would only need the username in case of direct login using webauthn) asks the user to authenticate while he waits for a key registration request on the login page.
The solution would be to use dedicated hardware keys, question is if there is a different way here, e.g. for users that don't have hardware keys but want to use webauthn on a windows laptop and android.
