1. If they have the access to steal your hardware key then they also probably have access to replace your usb charging cable with a malicious one, or install a keylogger on your system, or place a microphone or camera near you for acoustic or optical keylogging. All ways your password could be stolen without you knowing. If your yubikey is stolen at least you find out fast and could warn your IT manager to lock you out. Still, 99.999% of all threats are online, and for the rare few that have physical theft of keys in their threat model, then you have the option to set a pin on your yubikey with a 3 try lockout. Or you can use touchid, or another platform authenticator built into your laptop. If they can steal your unlocked laptop, then neither passwords or passkeys are going to help so this is moot.
2. Fido2 lets you decide who to trust. A non technical user can use google or apple or a hosted nextcloud instance as a backup. A technical user is more likely to enroll the TEEs built into their phones and laptops, with a yubikey in a safety deposit box as a backup.
Passkeys and FIDO2 offer a massive reduction in attack surface and are superior to passwords in every way for every threat model I have ever heard of.
You have all the same options for managing a fido2/passkey/webauthn key as you do an ssh key.
Web passwords should go die in the same fire as SMS 2FA.
> 1. If they have the access to steal your hardware key then they also probably have access to replace your usb charging cable with a malicious one, or install a keylogger on your system, or place a microphone or camera near you for acoustic or optical keylogging. All ways your password could be stolen without you knowing. If your yubikey is stolen at least you find out fast and could warn your IT manager to lock you out. Still, 99.999% of all threats are online, and for the rare few that have physical theft of keys in their threat model, then you have the option to set a pin on your yubikey with a 3 try lockout. Or you can use touchid, or another platform authenticator built into your laptop. If they can steal your unlocked laptop, then neither passwords or passkeys are going to help so this is moot.
You are jumping around various attack scenarios to make your point. If your child steals your hardware token to shop on amazon and then put it back afterwards is a different and much more likely scenario then some targeted attack by some hacker that is prepared and breaks into your home...
Most online threads are about social engineering, where the person that is attacked actually cooperates with the attacker, AFAIK there is no safeguard against that, other than not trusting people with their own stuff.
I would worry more about someone stealing a locked laptop. If there is no password (or other kind of knowleged based protection), then they have everything they need to unlock it.
> Web passwords should go die in the same fire as SMS 2FA.
So since you limited your argument now to just Web passwords. Does that mean you agree with me that you don't think there is a good solution to replace passwords for encryption or local authentication that works offline and doesn't move the trust away from the user?
Web passwords are the primary issue. Secrets that are local on your system with hardware enforced rate limiting, such as a pin on a yubikey, are reasonable. Pins are short and memorable. Passwords generally must be 256 bits of entropy and thus not easily memorable.
You can do FDE with a smart card+pin or smart card+biometrics depending on your threat model.
I consider a pin provided to local hardware or for local decryption different from the concept of a password as is widely deployed on every web service under the sun.
Services should never see your secrets though, only public keys.
I assumed we were talking about web passwords given that is the only scope FIDO2/passkeys cover.
> Web passwords are the primary issue. Secrets that are local on your system with hardware enforced rate limiting, such as a pin on a yubikey, are reasonable. Pins are short and memorable. Passwords generally must be 256 bits of entropy and thus not easily memorable.
I consider PINs, passwords and passphrases as the same thing, just different rules to create/input them. Numerical PINs might be easier to remember, but as with unlock patterns on a phone, it is also easier to casually observe someone entering and memorizing it.
Biometrics I am not a fan of, because they can be stolen without you noticing. With password you have to enter it in an untrusted environment, which takes more effort to setup. Also biometrics cannot easily be changed if they leak. And they also change with time and events involuntary and some people even have identical biometric data.
> I assumed we were talking about web passwords given that is the only scope FIDO2/passkeys cover.
The discussion started with wanting to replace all passwords.
IMO, 2FA via hardware key etc. next to a password/PIN it great, but IMO some kind of proof of knowledge can not be replaced by just a proof of possession.
2. Fido2 lets you decide who to trust. A non technical user can use google or apple or a hosted nextcloud instance as a backup. A technical user is more likely to enroll the TEEs built into their phones and laptops, with a yubikey in a safety deposit box as a backup.
Passkeys and FIDO2 offer a massive reduction in attack surface and are superior to passwords in every way for every threat model I have ever heard of.
You have all the same options for managing a fido2/passkey/webauthn key as you do an ssh key.
Web passwords should go die in the same fire as SMS 2FA.