[dns_snek]

> If it can be put into a password manager, it's "something you know", regardless of what the intention is or was. Intentions don't drive what things actually are.

That's not a useful distinction and needlessly breaks an otherwise useful model. By that logic, every authentication method is just "something you know" since every piece of information can be represented as a stream of bits, and password managers are well equipped for storing it. That includes your face, fingerprint, and DNA.

[jerf]

I agree with your last sentence and I am finding the know/are/have model actually quite useless in practice, for that very reason. It's all really just variants on knowing, and rather than breaking the world into three categories, two of which don't really exist, it's much more sensible to look at what the differences between the classes of "knowing" is.

For example, while I "know" my TOTP codes, it is relevant that they can not be memorized. While I "know" my passkeys, the differences in how that knowledge is interrogated is relevant. What isn't useful is modeling either of those things as "have" versus "know", because by putting them in my password manager, I have objectively broken them as a concept of "thing I have".

But people marry their models, so it'll be a while for this to get through our collective skulls. It looked so useful at first.