This line of reasoning doesn't hold up at all. The best practice advice 'avoid security through obscurity' has nothing to do with what you're talking about. Also, FIDO absolutely relies on secrets: that's what a security key stores.
I'd be interested to hear how you think law enforcement and intelligence could still work without confidentiality.
Although the typical design for a FIDO key uses what is technically a symmetric ("secret") key that's an implementation detail and the purpose of the FIDO device is to maintain asymmetric (private) keys.
If you've been under the impression that FIDO is just a shared secret system like TOTP then I've got great news, it's much cleverer than that. By not relying on secrets the system is robust against total incompetence by a relying party. If say Facebook paste all the U2F credentials they have for your account into a public Pastebin, not only can that not be used to attack your Login.gov account secured with the same FIDO key, it can't even be used to attack the Facebook account the credentials are for.
Military intelligence services actually rely heavily on analysis of public information. The value of the exciting and expensive Hollywood-style secret agent is mostly in their ability to do stuff, mostly illegal and immoral stuff, not a benefit to collecting intelligence.
You've totally lost me, and it's not because I misunderstand FIDO. The private key you refer to must be kept secret or the credential is compromised. Yes, this is undoubtedly better than passwords, because the system automatically prevents credential re-use across services and is more resilient than a password hash, but it still requires secrecy. You're not providing an example of a system that functions without the need for secrecy, you're providing an example of a system that uses a very tightly controlled secret, known only to the party that needs it i.e. the FIDO key. Sounds a bit like the principles of need-to-know and compartmentation used by intelligence services...
Open source is useful, to be sure, but so are informants / agents, and the safety of those sources and their continued usefulness is completely dependent upon secrecy. If that's too Hollywood then consider undercover law enforcement.
Something is a _secret_ only if at least two people know it. This makes a tremendous difference because now either of them might betray the confidence, a _private_ fact can't be given away by anybody else, it is yours to keep private or not.
Society blurs this line a lot by telling people things are "Private" when in fact they're only a secret, and then there is an opportunity to betray them. This happens for payment cards for example, bank representatives have been known to tell even a court of law that bank employees can't find out your PIN, so if a PIN was used it proves the customer was negligent or actively participated in the transaction. In fact, of course, the PIN is a secret, so the bank and thus its employees are aware of the customer's PIN and an insider could in fact perform transactions using PIN verification despite no negligence by the customer.
I was super surprised to learn AWS will only allow you to register a single FIDO token - the inherent lockout risk pushed me back to using OTP with the seed stored in multiple Yubikeys.
No, the whole point of U2F/FIDO is that phishing sites can't extract a usable credential from the key because everything is tied to the origin requesting the authentication.
Do you drop tracking cookies or scripts that fingerprint the users visiting your site? No? Well by resisting the push to TLS, you're allowing ISPs and who knows who else to inject that content into the sessions of your users.
If your concern is just with government expenditures, sure, but you can also make the argument that prioritising rural areas could give them a head start on the growth of digital services. Taking Australia from being a market where cities have ~okay~ internet and rural areas have poor internet to one where at first everyone has okay to great connectivity and later everyone has great connectivity has its merits.
Someone correct me if I'm wrong, but isn't the explicit purpose of intelligence agencies to gather intelligence about foreign countries (allied or otherwise) to further the national interest? I don't really see how this is a creep of power (as opposed to, say, counter-terror activities, where an agency that previously only surveilled foreign powers may now monitor its own citizens).
French intelligence services are using this to ask more money and less restraint right now, that's how funding and manpower comparisons made it in the article. US intel services probably did the same a couple of years back when Obama moaned about chinese spying.
Overall, a significant share of these powers have been and will be used in ways and for goals that are detrimental to the well-being of democratic political systems.
I'm not defending any state spying, but geopolitics is different from individual interactions. Not anticipating the moves of the other nations means risking millions of lives of people from you country. Wars, nuclear wars, economic depression, etc. It's sad but we haven't yet solved many problems to fully become a democratic Earth (e.g. distribution of knowledge, election of politics. which basically are the same problems we see in distributed computing systems).
There is no such thing "national interest." There is only the interest of individuals. Sometimes they align with the majority of people, sometimes they do not.
I'd be interested to hear how you think law enforcement and intelligence could still work without confidentiality.