Yeah I would say generally hardware keys are actually EASIER for many older people to understand once you walk them through the process. The real problem, however, is that so many damn places (I am looking at you big banking!) either do not support the key, do not support the protocols that some keys use, or just easily allow you to fall back to another method.
If we can get to the point where a hardware key is universally accepted at all of the major places older people commonly use then I think it will be an easy sell. Showing someone how to open an authenticator app, scan a barcode, name it correctly, then later re-open the app to find the correct code (which is periodically expiring so they need to do this all relatively quickly) in ADDITION to their normal password ( I see so many of them either put the code in the password field or some other combo ) is actually quite a few steps. And once you get a ton of authenticator codes inside the app it can get confusing which is which unless you name them all carefully.
Telling someone "plug in this physical key" is a hell of a lot easier and so much more similar to what they are used to.
Yes, but I'm not sure this is limited to "older" people! It really helps to have a security model people can understand, operating like something they already know. You don't get phished at the front door either (if we're talking FIDO). The problem is the non-trivial expense. That leads to organizations like universities not using them and essentially insisting that everyone -- specifically students -- uses their own, possibly compromised smartphone, though you can get round that with on your laptop, say. That's also the device they're likely to use to connect too... And it's still phishing, we've heard of it.
On Duo, if you have multiple hardware keys registered, then you need to pick the key to use for 2FA before you get the prompt. If you pick the wrong key, it will fail. It is very easy to end up in a configuration where every time you need to perform a Duo login, you have to click 3 times to pick the right key.
Or you can skip the keys and get a mobile prompt, instantly, the moment you visit the page.
Of course, this has nothing to do with the underlying limitations of hardware keys. But vendors routinely mess up implementing them. We could really use some rock-solid open source WebAuthN implementations.
From what I've seen of people who go along with using their own phone for this, you can get the mobile prompt many times without doing anything, even when you're not being attacked (as far as we could tell, but I don't know what the actual cause has been). Sigh.
Does it still prompt you to pick a key if all you have are Security Keys enrolled? I can see if you've got other options they might want to check first before doing the WebAuthn process.
Jokes on you, 1st world banks are well-known to have a huge lag in tech. Like still handing out dedicated TOTP devices or OTP scratch-cards. OTOH we have crypto exchanges running on a bleeding edge. Binance has (partial) fido2 support. I am not aware of any other.
If we can get to the point where a hardware key is universally accepted at all of the major places older people commonly use then I think it will be an easy sell. Showing someone how to open an authenticator app, scan a barcode, name it correctly, then later re-open the app to find the correct code (which is periodically expiring so they need to do this all relatively quickly) in ADDITION to their normal password ( I see so many of them either put the code in the password field or some other combo ) is actually quite a few steps. And once you get a ton of authenticator codes inside the app it can get confusing which is which unless you name them all carefully.
Telling someone "plug in this physical key" is a hell of a lot easier and so much more similar to what they are used to.