Could we not all agree that the only reason we don't like passwords is because people try to remember them, they are reusable, they are simple, and once stolen we have a hard time telling if the user is genuine?
If that's the case, can't we default to sending an out-of-bound request (e.g. push to phone, or fall back to TOTP) for authorization, and if that's not available, require a long, random, website-and-account-unique password be entered that is kept in a browser's password manager?
The last case, "user lost everything", is more sticky. Can they still log into their e-mail? If so, they can initiate a password reset (and we'll assume that one day e-mail will be secure) and store a new random password in a browser password manager, and register a new external device for push-auth. The hinge point here is the e-mail account, which may need more robust protection.
This scheme should work with existing systems without new standards, be resistant to password reuse & cracking, default to a second factor, allow somewhat reasonable recovery, and not require a hardware token. (The idea that the hardware token is needed to defeat phishing is bogus imho; the browser password manager can auto-fill the password field for the correct site, and refuse to do so for phishing sites)
If that's the case, can't we default to sending an out-of-bound request (e.g. push to phone, or fall back to TOTP) for authorization, and if that's not available, require a long, random, website-and-account-unique password be entered that is kept in a browser's password manager?
The last case, "user lost everything", is more sticky. Can they still log into their e-mail? If so, they can initiate a password reset (and we'll assume that one day e-mail will be secure) and store a new random password in a browser password manager, and register a new external device for push-auth. The hinge point here is the e-mail account, which may need more robust protection.
This scheme should work with existing systems without new standards, be resistant to password reuse & cracking, default to a second factor, allow somewhat reasonable recovery, and not require a hardware token. (The idea that the hardware token is needed to defeat phishing is bogus imho; the browser password manager can auto-fill the password field for the correct site, and refuse to do so for phishing sites)