[idle_zealot]

> A password exists in your memory, yes, but it also exists in the databases of untold numbers of corporations, each with different levels of security

> passwords, by nature, have to exist somewhere other than your head, guarded by someone other than you.

What? That’s simply not true. Passwords are only stored in your head and anywhere you explicitly write them down for safekeeping (like a password manager). Services do not need a copy to validate your password, and should never store one. They only need a salted hash to confirm if the password you input was correct. Such a hash is irreversible without an attacker randomly guessing your password through brute force, which is beyond impractical for any decent password.

[jjulius]

I stand corrected on some of my phrasing, thank you for the correction. However...

>Services do not need a copy to validate your password, and should never store one.

"Do not need" and "should" are the key words here. Users don't know how a site stores passwords, we have to trust them to use strong encryption when it comes to hashing, and to not store it in plaintext.

[idle_zealot]

Users don’t know how a site implements FIDO either.

With any authentication system you do have to trust the server you’re accessing to identify you correctly. Take FIDO: sure, in theory someone would have to be close to you to steal the “thing you have”, but if the service you’re authenticating with doesn’t implement the protocol properly or is hacked, then attackers may be able to access your account without being anywhere near you.

All authentication schemes offer benefits only if implemented correctly.