I would like to add biometrics capability to my web app.
It seems to me that the only way to trigger device unlock (biometrics, PIN etc.) is with webauthn API through navigator.credentials.get(): https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/get
Is there a security reason or some other reason to be forced to use this rather complex API?
Webauthn is a very complex way for a very important but actually very simple task, and the webauthn way with passkeys is coupled with things like private key management with a pass manager or security keys. Not everyone uses pass managers, 99% will never use security keys and passkey syncing is half baked (auto syncing inside Apple/Google but for different platforms you are supposed to create different passkeys indicating a maintenance hell in the future).
I believe the future of authentication is nonetheless: trusted device possession + biometrics / PIN authentication.
That is why I am asking whether there is some security or other consideration behind restricting web apps to use a complex webauthn flow to utilize built in device unlock checks.
It would be great to have more alternatives and freedom on the web to do what native apps already can: trigger device unlock checks and get the result. Nothing more, nothin less.
I found an ongoing discussion having this feature in the signing process in web crypto, but it is far from reality as of now: https://github.com/w3c/webcrypto/issues/350
You ultimately need a cryptographic artifact that can be presented to your service to authenticate the user, as biometrics and device PIN are validated on the local device in the authenticator. A passkey is that artifact (a cryptographic key pair used for user authentication in a privacy preserving manner).
https://passkeys.dev