I read about this yesterday, but it struck me quite quickly that there's something missing here.

The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option. Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS.

It's true that password-based security is a huge pain and I'd be as happy as anyone else to see the back of it.

But. In the uncommon (but not vanishingly rare) situation where you need a friendly third-party to have access to a secure app when you are not present, revealing your device PIN to that friendly third party is far from ideal and a biometric like your fingerprint or your face is entirely impractical.

This is as true for software as it is for hardware.

There must be many other approaches which are more secure than character-based passwords but not as restrictive as biometrics.

- QR-code-based passwords?
- Photo-based passwords (if you can scan a face, you can scan a photo) ?
- Complex aural passwords (ie. the first eight bars of a selected song)?
- Finger tap rhythm passwords (probably impractical, since it's hard to remember more than a handful of these)
- Finger-traced shape-based passwords (same as above)
- A random selection of words from a chosen poem
- Answers to a random selection of questions (from dozens of questions)

There must be hundreds more approaches.

Says Charles Hoskinson of IOHK on Twitter:

I love how the 30-year quest for a password free internet is to turn over all control to Google, Apple, and Microsoft and let them just handle it for you

Source: [twitter.com...]

I have sympathy for this observation.

Q: What's the problem?

A: Alphanumeric passwords are a pain. (No argument there.)

Q: How are some vested-interest parties attempting to present the problem?

A: All passwords are a pain.

There is some disingenuity going on here.

I'm no expert on this. I've read some of the material on the FIDO Alliance website. It's probably worth reading how this all works, and i'm not sure the "keys" are any use to anyone that may hold one of them. OTOH, the password is far less secure.

The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.

[fidoalliance.org...]

Apple, at its Worldwide Developers Conference (WWDC) this week, has described its system of passwordless login "Passkey", and is based on its work with the FIDO alliance. Apple did not pin down specifics relating to the adoption, which, in part, depends greatly upon the adoption of the new technology within websites.

I'd be nice to think this technology is adopted sooner, rather than later.