> Web passwords are the primary issue. Secrets that are local on your system with hardware enforced rate limiting, such as a pin on a yubikey, are reasonable. Pins are short and memorable. Passwords generally must be 256 bits of entropy and thus not easily memorable.
I consider PINs, passwords and passphrases as the same thing, just different rules to create/input them. Numerical PINs might be easier to remember, but as with unlock patterns on a phone, it is also easier to casually observe someone entering and memorizing it.
Biometrics I am not a fan of, because they can be stolen without you noticing. With password you have to enter it in an untrusted environment, which takes more effort to setup. Also biometrics cannot easily be changed if they leak. And they also change with time and events involuntary and some people even have identical biometric data.
> I assumed we were talking about web passwords given that is the only scope FIDO2/passkeys cover.
The discussion started with wanting to replace all passwords.
IMO, 2FA via hardware key etc. next to a password/PIN it great, but IMO some kind of proof of knowledge can not be replaced by just a proof of possession.
I consider PINs, passwords and passphrases as the same thing, just different rules to create/input them. Numerical PINs might be easier to remember, but as with unlock patterns on a phone, it is also easier to casually observe someone entering and memorizing it.
Biometrics I am not a fan of, because they can be stolen without you noticing. With password you have to enter it in an untrusted environment, which takes more effort to setup. Also biometrics cannot easily be changed if they leak. And they also change with time and events involuntary and some people even have identical biometric data.
> I assumed we were talking about web passwords given that is the only scope FIDO2/passkeys cover.
The discussion started with wanting to replace all passwords.
I don't know anything about passkey, but FIDO2 can be used for harddrive encryption: https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-...
IMO, 2FA via hardware key etc. next to a password/PIN it great, but IMO some kind of proof of knowledge can not be replaced by just a proof of possession.