While implementing what was supposed to be a rather straightforward use-case of second-factor authentication via WebAuthn, I ran into a surprising amount of roadblocks that made my implementation harder than it should've been. Complicating the procedure was that I initially implemented the hardware key checking using the old deprecated U2F protocol — which for the record, was more straightforward.
However, WebAuthn is the future — just look how slick this guide is! If that's not going to make you think it'll be done lickity-split, I don't know what will. Reading through that helpful guide (put together by the fine folks at DUO), I couldn't help but be struck by how "enterprise-y" it all felt. It did not bode well, and my fears were not unfounded.
I decided to put this post together as a catch-all for the problems I faced in my implementation, and direct links or write-ups to the solutions.