There are three notable disadvantages from a security, privacy, and portability perspective.
- Security – Identity and authentication credentials are permanently connected to the computer or phone. If these devices are compromised (i.e. a rooted phone), they are subject to exploits and are subject to misuse of the stored credentials. Furthermore, social attacks are common where the attacker tricks the user to download and install malicious apps on these devices and provide an avenue to attack to the protected credentials.
- Portability – With your credentials tied to a integrated device, it may be difficult to use your credentials between devices, or bootstrap your identity to a new device.
- Privacy – Built-in authenticators do provide benefits of additional user interfaces to help guide the most optimal user experience. With that, the identity of the owner of the account can be linked to the owner of the phone even before authentication has occurred. When using a security keys, the anonymity of the user in question is protected both because it is far less trivial to determine the owner of a security key than the owner of a phone, and because a security key gives no outward sign of being associated.