I already didn't like passwords before. But oh boy did I see the horror for normal folks when I observed my mother battle with a camera app recently.
She was so frustrated with the password it was crazy. Especially because there are 1000 rules a password must have to be "safe" these days. And even then, she would just use a slightly different version of her default password.
I'm 100% certain she wouldn't remember that password the next time she has to log into that account. So she has to go through the whole password reset nightmare with all this horror again. Terrible.
> generates long, random passwords, satisfying arbitrary rules that the user doesn't need to worry about
This requires lots of magic everywhere to make this "work". Every time it fails, the user is left with confusing nonsense.
At the weekend the company who took over one of my pensions sent me a QR code for "my account". Well of course it's just a "create account" link but as a QR code. So I create the account, it requires a password. So I pick a random password, nope. "Please follow the password requirements", it's a paragraph of text, including a maximum length, required characters, forbidden characters, combinations, and so on. I had to manually adjust the randomly generated password. Eventually I guessed that although double quotes aren't listed as forbidden they probably are, and that was enough.
Now, I know what I'm doing, but realistically most users are going to settle for something easy or worse they are going to give up altogether.
Passwords are awful, it's long past time to do WebAuthn
> This requires lots of magic everywhere to make this "work".
Speaking from experience with my system: it really doesn't.
99/100 services are perfectly happy with the passwords generated by my default settings (64chars alphanumeric with symbols). I had to manually intervene exactly 2 times so far, and the only param I had to change was the pwd length.
I have faith the services that aren't able to understand maximum length, exclusions, and character requirements are a failure of their security design will succeede in mucking up any solution to not work as simply as it should.
Half of the reason for the "requirements" list is people telling them about how poor passwords are, and they should try to get people to pick better ones. In WebAuthn: The relying party doesn't get to pick any of the security parameters
The other half is their backend systems not being able to cope with sensible things and so they picked whatever was easier. In WebAuthn, again, the relying party doesn't get to pick any of the security parameters.
Lots of bad practices that happen for passwords don't survive implementation in WebAuthn. It's the same philosophy as to why I preferred writing plain Java over Python - "You can't do that, it doesn't compile" beats, "Oops, the job ran to completion overnight, but the output phase tried to multiply an empty string with an array and so it failed at that point".
For example, hey, users know this is Awesome Site, so, no problem asking for their awesome.example password on our new betteryet.example site, right? You know the Big Boss is going to insist on that. With passwords most users won't notice (which is why they get phished) and if you're the sort of person who does notice now you need to tell your password manager that yeah, this password must be entered on betteryet.example as well as awesome.example. In WebAuthn that can't work. Not "You need some fancy Javascript". Not "Tell the user to press the Destroy Security Please" button, nothing like that, it just can't work. WebAuthn knows this is betteryet.example so, it can only have betteryet.example credentials, there is no backdoor, no override, too bad, if you're really awesome.example you should have people log in to awesome.example.
The big boss can rage and scream and threaten and it won't make any difference, it's just a fact, like that time they were sure nine was more than fourteen and it isn't.
She was so frustrated with the password it was crazy. Especially because there are 1000 rules a password must have to be "safe" these days. And even then, she would just use a slightly different version of her default password.
I'm 100% certain she wouldn't remember that password the next time she has to log into that account. So she has to go through the whole password reset nightmare with all this horror again. Terrible.