[90211]

Not everything needs perfect OpSec. sometimes convenience is more important. I don't care if my HN account gets hacked and if I was forced to use 2FA I would just stop using it.

Passwords have security vulnerabilities, sure. But they're intuitive and usable. When you start trying to come up with alternatives there become dozens of edge-cases in which your system fails.

[jrockway]

Passwords are exceedingly inconvenient, and getting rid of them doesn't require adding a second factor. To use passwords, you have to constantly monitor the Internet to see if it's been leaked (in the case where you use a password and memorize it), or you have to subscribe to a third-party service to manage your passwords. To use WebAuthn, you just need the functionality built into your OS. Physical custody of your computer and the screen lock then protect your online accounts.

Or in the case of Github, you generate an SSH key and put the public key in Github and keep the private key around.

Both are much more convenient than passwords, but also more secure. It's a win/win.