[D-Nice]

As someone whose main project surrounds passwords, I could appreciate a future without passwords, because I consider most existing solutions to be quite poor.

However, this feels more like having your sheep be herded by a fox...

Many here have already mentioned great points retorting this, so I won't beat a dead horse.

I will take the selfish opportunity to mention what my solution is that I'm working on: https://app.SrsPass.com

There's some rudimentary docs with a spec outline for those interested. But to sum it up, I share the same fears as others here of one device being some ultimate honey pot, or even worse, losing everything I have due to corruption or losing a/all devices where your pass vaults are when it comes to traditional managers. (Mind you, this coming from someone that runs RAID-Z3 NAS in multiple offsites).

Basically to keep it simple, I required the following aspects

- Available-source or Open-source (duh)

- Accessible on just about any device with a cpu, arm/x86 etc

- Vaultless & as stateless as possible

- No cloud, works completely offline

- Uses modern cryptography with sufficiently strong parameters

- Requires only one password to memorize

- Has uncrackable generated passwords (aka not feasible to crack in a long time period such as with 128 bits of entropy).

I believe SrsPass to meet all those aspects already. That is not to say that there aren't more features being worked on (the workboard is essentially public), however, I think you'd be hard pressed to find a more secure (when you build & run yourself) and accessible password manager than it.

[tialaramex]

There already is a future without passwords, it's WebAuthn.

The key element that didn't make your list is phishing. The next threat to Joe Average once he isn't reusing a crap password is phishing. Joe goes to a site which he thinks is the right place but it isn't, it's actually run by bad guys and then Joe gives them his credentials and helps them break into the real site Joe thought he was visiting.

Better passwords make no difference to that. Some types of password managers might slow Joe down a bit, as he needs to override a default presumption that this is the wrong site, but since the site has tricked Joe already this is very fragile. TOTP makes no difference, SMS of course makes no difference, and even the Google Auth tech AFAIK makes no difference.

But WebAuthn just stops this attack dead in its tracks.

[D-Nice]

It's a definite improvement, and good point indeed regarding phishing... just as your answer precludes, a whole different authentication mechanism is needed to avoid phishing, that is why unfortunately that couldn't make my list. However, it does protect your other accounts from getting breached if one is either phished or breached, which I considered to be good enough.

WebAuthn does have its own issues and complications, mainly with how to handle account recovery on a lost or corrupted device. Sure, you can have a replacement device, as likely me and you try and do for most things, however, this is too burdensome for many.

I think the biggest issue with any new spec like WebAuthn is vendor adoption. As is... many banks fail to have any 2FA, and those that do, give you the terrible choice of SMS 2FA. In addition, they have odd and archaic password requirements, such as only these symbols, and only up to 20 characters etc... If they have failed on rectifying these in the last 2 decades, I'm afraid how far in the future away something like WebAuthn is to being in realized use. Hence I made SrsPass as hopefully a solution to today's passwords problems, the ones I considered sanely resolvable.