So much fail
'"A smartphone is something that end-users typically already have..."'
I don't. Know why? Because they're expensive and designed primarily to benefit carriers and manufacturers. They are riddled with buggy proprietary software and firmware and untrustworthy as all hell.
'This framework for passwordless authentication relies heavily on mobile devices, and thus also on the security of the underlying OS. That's by design, FIDO said.'
So it's broken by design, then.
It's not very difficult for a human of ordinary intelligence to examine a password and determine whether it's strong or weak. It's also not very difficult to avoid phishing attacks: block all email from people you don't trust, use a provider that enforces DKIM (most do) or do so yourself, use a plain-text MUA, type URIs instead of clicking links, and stop answering phone calls if you haven't already (99% of all phone calls are spam and/or scam). While this may not quite be enough if you are a spy or a CEO, it will suffice for the other 99.99% of us.
However, I defy anyone, even an expert in the field, to look at a USB dongle or smartphone and tell whether its authentication functionality is strong, weak, defective, or malicious. It basically can't be done, especially if the software and firmware are proprietary -- let's not even start on hardware -- so therefore this is a step backwards from passwords. And worse, the more trust is placed in such devices by upstream service providers like banks, the harder it will be to avoid the consequences of unknowingly using an insecure, defective, or malicious device for authentication. Oh well, your life savings are gone and you can't get them back. Good thing we have unlimited lives in which to start over!
I'll stick with my strong passwords in a physical notebook kept in a hidden safe, thanks. That's never failed me and I don't expect it ever will. If you won't let me use a password to authenticate myself, I'll take my business elsewhere.