It is well past time to stop using passwords. We should be using TLS client certs (as in mutual TLS aka mTLS) or WebAuthn passkeys already. I prefer certs because they don't require support in the web application, but they have a terrible UI and browsers seem to be making that worse, so WebAuthn it is, I just wish WebAuthn would have a standardised HTTP header or TLS extension so it would be usable without JavaScript, currently every website has to implement their own login protocol in JavaScript.
That's probably better. But moving entirely from "things I know" to "things I own" comes with its own set of security disasters waiting to happen. We are better off using those to augment the password than to replace it.
Yes. Either you use one physical key for everything, in which case you have to keep it with you all the time, which makes it only a matter of time before you lose it, or you have one ultra-secure key which you don’t normally use, leading to another problem:
I don't think "things I own" is a bad security model in itself.
The ideal of authentication (to me) seems to be some kind of USB dongle with your private key baked in the hardware, that you can use to create digital signatures proving your identity. Short of stealing the dongle, there is no way anyone can steal your identity.
Using your dongle example, how do you access important services away from home? Carry the dongle everywhere? If so, you risk losing the dongle.
Same with your phone as the "thing I own". That's great, until the phone dies/breaks/gets lost. Hopefully you have a tablet as backup, or the paper copy of your one-time codes in your wallet.
I don't have a good answer. I just hate the idea of needing to access banking services when traveling should my phone become unavailable.
> Carry the dongle everywhere? If so, you risk losing the dongle.
To be fair, we also carry our IDs everywhere and risk losing them all the time, yet it works pretty fine in most cases. Losing your ID is painful, and so would be losing the dongle, but the security of it outweighs the risk, IMHO.
Even more if we create dongles that are shaped like cards, so we can keep them in our wallets like IDs.
Normally you do not use the ID in day to day operations.
A better example would be a credit card, which combines a password (or pin) with a cryptographic chip.
The card itself is too easy to steal, hence the backup password.
The other possibility is biometrics, but these come with their own problems.
The answer with WebAuthn devices is to have more than one of them. When traveling, keep one in your safe, one with your home computer, one in the hotel and one along with your laptop. With WebAuthn passkeys, they are synced to the cloud so are available on all your devices or anywhere you have access to your cloud accounts.
Apple/Microsoft are also adding WebAuthn "passkeys", which is basically the same as the USB device thing, except the keys are stored on your laptop instead, perhaps in the TPM or similar. They are also synced across devices using their cloud services.
Passwords for websites are (hopefully) hashed locally. And more importantly, how does it make a difference whether you or the password manager types in the password into the web form?