Why do we still use passwords? When I connect to Amazon.com I don't ask them for a username and password to verify they really are Amazon. I verify their certificate. Why can't I authentic with a certificate too?
Back in the dark, dark days before LetsEncrypt, I had some StartSSL free certs. At one point, I was logging into their site using a certificate. I assume it was quite secure, but it was a complete PITA to set up. Especially when I wanted to log in on a different machine.
You can. Client side SSL is a thing, and it totally prevents phishing - pretty much any browser has supported it for ten years.
It is also a UX nightmare. The browser you are reading this with almost certainly support it, but try to see if you can find the menu option to install one.
I've actually played around with that. Yes, the browser side UX is a nightmare. It was real fun (for extremely small values of "fun") installing the client certificate on Firefox and Safari (on the Mac, on the iPad and on the iPhone). I was rather surprised by the number of different browsers (and number of computers) it needed to be installed on.
This has been implemented before. I briefly maintained a legacy project that supported it via IE. In practice, it's a nightmare. Users constantly lose their certs and require manual re-auth. There was a complex install process to get the new cert in place. Usernames and passwords were still a thing; the cert was just to verify that you're coming from an authenticated computer.
Something like your proposal may work if it involves a one-way hash of biometric data (fingerprint scan) so that people can't "lose their cert", but that comes with its own problems too.
>Something like your proposal may work if it involves a one-way hash of biometric data (fingerprint scan) so that people can't "lose their cert", but that comes with its own problems too.
Such as biometrics make terrible passwords because they can't be changed. Once compromised (3d printed fingerprints anyone? [0]) then you are forever compromised. Just in case someone wanted an example of why biometrics are terrible.