> Cloudflare just happened to be slightly different enough that it broke their automation.
This type of attack just can't work on targets which are properly secured with FIDO authenticators. So it's not really "slightly different". The minimum adjustment the attackers can make is probably something like "Hire motorcycle couriers, add a step where the user is told their token needs replacing, a courier comes out and takes it, we get the token". Which is a very different ball game from "Make some web sites and install this off-the-shelf phishing toolkit".
Fine. But by Cloudflare's own statement it didn't fail because they used webauthn, it failed because they didn't use TOTP.
Think of it like a bank robber showing up to a job to crack a safe with an autodialer. He will have no problems on 9/10 banks that use dial safes, but this one has an electronic keypad. The electronic keypad being better or worse is irrelevant, it protected the bank because the robber brought the wrong tool.
This type of attack just can't work on targets which are properly secured with FIDO authenticators. So it's not really "slightly different". The minimum adjustment the attackers can make is probably something like "Hire motorcycle couriers, add a step where the user is told their token needs replacing, a courier comes out and takes it, we get the token". Which is a very different ball game from "Make some web sites and install this off-the-shelf phishing toolkit".