Err... and how is my software token generated? Where is it stored? Can I move it around browsers, e.g. use it with my Mobile Firefox after I generated in on the desktop?

In other words, I can't use it in production (yet), because I'd need to ask users to change browser settings for it to work. That's disappointing :(

You can use it in production for users who have hardware tokens (and it is used in production by many sites for 2FA). But if you mean you can't _exclusively_ use it in production, then yes that is probably true since not all users will have authenticators (yet).

It’s almost like the designers thought - we are so damn close to killing the password, but, nah, why bother.