As someone who leads a major MDR and IR service, phishing was the root cause of about 7.5% of incidents last year. Exploits are #1 around 47% of incidents, followed by compromised credentials around 30% of incidents.

This only represents SME and Enterprise. Phishing likely could be #1 for individuals.

Sounds like you’re proposing WebAuthn which already exists. Keep in mind that there are attacks against RSA with PKCS1 padding. I’d use a more secure cryptographic primitive than RSA (I.e. elliptic curves) - there’s a reason cryptographic experts don’t look towards RSA these days.

MTTD isn’t a great metric on its own and suffers from only being useful after an attack.

I prefer Katz’ approach.