On Duo, if you have multiple hardware keys registered, then you need to pick the key to use for 2FA before you get the prompt. If you pick the wrong key, it will fail. It is very easy to end up in a configuration where every time you need to perform a Duo login, you have to click 3 times to pick the right key.
Or you can skip the keys and get a mobile prompt, instantly, the moment you visit the page.
Of course, this has nothing to do with the underlying limitations of hardware keys. But vendors routinely mess up implementing them. We could really use some rock-solid open source WebAuthN implementations.
From what I've seen of people who go along with using their own phone for this, you can get the mobile prompt many times without doing anything, even when you're not being attacked (as far as we could tell, but I don't know what the actual cause has been). Sigh.
Does it still prompt you to pick a key if all you have are Security Keys enrolled? I can see if you've got other options they might want to check first before doing the WebAuthn process.
Or you can skip the keys and get a mobile prompt, instantly, the moment you visit the page.
Of course, this has nothing to do with the underlying limitations of hardware keys. But vendors routinely mess up implementing them. We could really use some rock-solid open source WebAuthN implementations.