Note that all uses of the password before the computer were not for personal security, but organizational security. If the enemy infiltrated without the use of the password, it could mean the downfall of an empire.
Today we use passwords largely for personal security. Yet when companies choose what methods of authentication/authorization they offer, they don't care what the user wants. They pick methods that will make their own jobs easier, rather than giving the user more convenience. The user has no agency today; it's just take what they give you and be thankful for it.
As a result, the tech landscape is full of wildly varying authn+z methods. Inconsistent password policies, inconsistent challenge methods (when they exist), inconsistent use (and types) of MFA, inconsistent use of hacker-prevention methods, the occasional use of single sign-on for only a few identity providers, "magic login email links", nearly non-existent use of client-side keys, etc etc. Almost every site you login to today will have a different system. Passkeys aren't much better, because it too is just a hodge-podge of different standards, not all of which need to be supported.
We need more consistency for the methods that exist. There should be a standard for challenge questions, a standard for hacker-detection, a standard for password policies, a standard for MFA, etc. That way it will be a little less haphazard how everyone implements them, and it will be easier to prevent security bugs by following the guidelines for implementing the standard.
But I also think more should be done to advocate for what the user wants. If the user wants to use a regular password, let them enable it. If the user wants to disable MFA, let them disable it. If they want to opt-out of the multi-layered hacker-detecting challenge-questions, let them opt-out. This is, after all, their personal security, not the security of the entire company selling them some service or product. A person should be able to decide their personal security level.
Alas, we don't really have much choice in what current companies give us. But if we voice our opinions loud enough, maybe new companies will give us the agency we want, and maybe that tiny competitive edge will prompt other companies to match them.
OAuth2/OIDC isn't enough. There's many cases where they're not an option at all; outside of (internet-connected) browser flows, you need more solutions. They add a ton of complexity and are difficult to implement correctly. They don't support other protocols. The implementation of each is specific to the provider ("scopes" is application-specific, etc). You aren't guaranteed to get all the functionality (grant types), assuming all parties have implemented them. And it doesn't provide a standard for MFA, challenges, recovery, secret storage, secure login to the IdP, etc. It really only covers a single use-case. When people do implement that use-case, they often do so improperly, leading to gaping security holes.
So we need more standards. But those standards need to come in three varieties: 1) new standards, 2) simpler designs, 3) guidelines for implementations. There are solutions that exist today, that have no standard. There are "standard" designs today, but they're overcomplicated. And we need better guides on how to implement standards so that users (and developers) have an easier time using the solutions.
It's comical, some site only allowed auth via Twitter, and I signed up for Twitter via a burner Google account. I get redirected like 30 times logging in and asked about my favorite celebrities along the way.
Today we use passwords largely for personal security. Yet when companies choose what methods of authentication/authorization they offer, they don't care what the user wants. They pick methods that will make their own jobs easier, rather than giving the user more convenience. The user has no agency today; it's just take what they give you and be thankful for it.
As a result, the tech landscape is full of wildly varying authn+z methods. Inconsistent password policies, inconsistent challenge methods (when they exist), inconsistent use (and types) of MFA, inconsistent use of hacker-prevention methods, the occasional use of single sign-on for only a few identity providers, "magic login email links", nearly non-existent use of client-side keys, etc etc. Almost every site you login to today will have a different system. Passkeys aren't much better, because it too is just a hodge-podge of different standards, not all of which need to be supported.
We need more consistency for the methods that exist. There should be a standard for challenge questions, a standard for hacker-detection, a standard for password policies, a standard for MFA, etc. That way it will be a little less haphazard how everyone implements them, and it will be easier to prevent security bugs by following the guidelines for implementing the standard.
But I also think more should be done to advocate for what the user wants. If the user wants to use a regular password, let them enable it. If the user wants to disable MFA, let them disable it. If they want to opt-out of the multi-layered hacker-detecting challenge-questions, let them opt-out. This is, after all, their personal security, not the security of the entire company selling them some service or product. A person should be able to decide their personal security level.
Alas, we don't really have much choice in what current companies give us. But if we voice our opinions loud enough, maybe new companies will give us the agency we want, and maybe that tiny competitive edge will prompt other companies to match them.