You are using that fallacy incorrectly. Additionally, quoting fallacies at people is it itself a fallacy when used in this way, is tiresome, and probably best avoided.
Webauthn has a number of severe usability downsides that will conspire to hamper its adoption outside of use cases where people are literally forced to use it.
1. The keys cannot be backed up. Nobody is going to accept being locked out of their online accounts if they lose a physical key.
2. Nobody wants to mess with a physical key when logging in anyways. At least TOTP can live in my password manager.
3. The options for not having physical keys are platform specific, tie you to a platform providers account for backup, and turn an operating system reset or a new smart phone or badly applied ban or account lockout from an annoyance to a possibly catastrophic loss of functionality.
None of these are problems in the enterprise because they have simple workarounds. For the rest of us? Yuck. I will gladly keep my platform independent, easy to back up, widely ubiquitous standard with the trade-off of looking at the URL bar when logging in and not clicking links in emails.
People saying that we cannot deprecate and replace TOTP because it is better than SMS is broken logic thrown around in places like HN -constantly- and -that- is tiresome to me. It seems like a verbatim of the fallacy I linked, but I admit I linked it out of frustration with seeing this poor defense of TOTP constantly.
To your points:
1. Multiple devices such as Ledger support FIDO key backups in the form of transcribing simple english words to paper. Most services support multiple webauthn devices registered at once though which is simpler for most people. You can also as a last resort offer a user with a one-time-use 2FA reset code just like TOTP sites do if you wish. Lots of options.
2. Your laptop and phone already have built in webauthn authenticators if you have a device made in the last several years.
3. See #1 for backup options
The default paths for TOTP recommended to most like Google Authenticator do not have a backup solution either. Users will have to research alternative TOTP solutions that support backups just like Webauthn, so that situation is no worse.
Webauthn is as good or better in UX and better in every way in security. People had to learn to use TOTP, which is complicated. People capable of using TOTP are technical enough to register two webauthn devices like a phone and a yubikey, or a phone and a laptop, or failing all else a phone and a paper backup.
Webauthn has a number of severe usability downsides that will conspire to hamper its adoption outside of use cases where people are literally forced to use it.
1. The keys cannot be backed up. Nobody is going to accept being locked out of their online accounts if they lose a physical key.
2. Nobody wants to mess with a physical key when logging in anyways. At least TOTP can live in my password manager.
3. The options for not having physical keys are platform specific, tie you to a platform providers account for backup, and turn an operating system reset or a new smart phone or badly applied ban or account lockout from an annoyance to a possibly catastrophic loss of functionality.
None of these are problems in the enterprise because they have simple workarounds. For the rest of us? Yuck. I will gladly keep my platform independent, easy to back up, widely ubiquitous standard with the trade-off of looking at the URL bar when logging in and not clicking links in emails.