> My claim that the passkeys are strictly worse than passwords applies specifically in the sense that, as a form of authentication, passkeys do not prove that the person logging into the site is actually the person they say they are.
This isn't theory. Design should be data driven rather than ideologically driven.
> It is easier to hack or steal a phone than it is to read your mind.
Mind reading is observably not the only way to obtain somebody's password. As you say in your next paragraph, this is extremely important when considering passwords. Plenty of things work great if you simply exclude all the cases when they don't work great. Everybody sucks at detecting phishing, even security professionals. This is demonstrated through clear data. "Well, I had to do something to get owned" is not meaningful. We should not care about the ideological purity of practical systems. We should care about their practical outcomes.
> Those situations are exactly why password systems must be designed NOT to store the password on any devices, whether that's a file on a phone or laptop, or a cell in a database. Every time the password is written down, it is effectively already compromised as an authentication tool because it's no longer just something you know.
This is also largely wrong from a practical perspective. Chrome can happily store your saved passwords on disk if you don't want to sync with a backend service. This adds minimal risk, since a rouge program that can read all your files is very likely to be able to fuck you even if the passwords are only ever temporarily stored in memory.
This isn't theory. Design should be data driven rather than ideologically driven.
> It is easier to hack or steal a phone than it is to read your mind.
Mind reading is observably not the only way to obtain somebody's password. As you say in your next paragraph, this is extremely important when considering passwords. Plenty of things work great if you simply exclude all the cases when they don't work great. Everybody sucks at detecting phishing, even security professionals. This is demonstrated through clear data. "Well, I had to do something to get owned" is not meaningful. We should not care about the ideological purity of practical systems. We should care about their practical outcomes.
> Those situations are exactly why password systems must be designed NOT to store the password on any devices, whether that's a file on a phone or laptop, or a cell in a database. Every time the password is written down, it is effectively already compromised as an authentication tool because it's no longer just something you know.
This is also largely wrong from a practical perspective. Chrome can happily store your saved passwords on disk if you don't want to sync with a backend service. This adds minimal risk, since a rouge program that can read all your files is very likely to be able to fuck you even if the passwords are only ever temporarily stored in memory.