In the case of networked hardware, the stealing the device part is a relatively minor concern.
For the case of passkeys, expect the bad actors currently playing the phishing game to shift from getting you to enter your password on a fake site, to getting you to install an app that either triggers the push notification to send the passkey or has a way to lift the passkey off the device directly. And in order for this tech to be useful, it will have to be expanded to cover nearly all sites and services available on the internet. So phishing will still happen in the form of bogus sites and services getting past whatever app verification equivalent process Google tries to put in place for services that would like to integrate with their passkey provider.
My claim that the passkeys are strictly worse than passwords applies specifically in the sense that, as a form of authentication, passkeys do not prove that the person logging into the site is actually the person they say they are. Passwords prove that only in the case that no one, who is not you, knows your password. Passkeys only prove you are who you say you are in the case that no one, who is not you, can unlock or otherwise get access to your networked and only loosely secured smartphone. It is easier to hack or steal a phone than it is to read your mind.
Though I grant you the point that one doesn't always have to read the mind, only trick it into giving up the goods. Fair enough but that is still the owner of the password DOING something whereas phones can be broken into through the network, through something the user did (like downloading malware), or through something they didn't do or know to do (like downloading updates).
It can also be broken into by way of something the owner had no control over, like a supply chain attack on app or system updates, a compromised third party service for one of the legit apps you have installed, or a zero-day hack for an app or the system itself.
Those situations are exactly why password systems must be designed NOT to store the password on any devices, whether that's a file on a phone or laptop, or a cell in a database. Every time the password is written down, it is effectively already compromised as an authentication tool because it's no longer just something you know.
> My claim that the passkeys are strictly worse than passwords applies specifically in the sense that, as a form of authentication, passkeys do not prove that the person logging into the site is actually the person they say they are.
This isn't theory. Design should be data driven rather than ideologically driven.
> It is easier to hack or steal a phone than it is to read your mind.
Mind reading is observably not the only way to obtain somebody's password. As you say in your next paragraph, this is extremely important when considering passwords. Plenty of things work great if you simply exclude all the cases when they don't work great. Everybody sucks at detecting phishing, even security professionals. This is demonstrated through clear data. "Well, I had to do something to get owned" is not meaningful. We should not care about the ideological purity of practical systems. We should care about their practical outcomes.
> Those situations are exactly why password systems must be designed NOT to store the password on any devices, whether that's a file on a phone or laptop, or a cell in a database. Every time the password is written down, it is effectively already compromised as an authentication tool because it's no longer just something you know.
This is also largely wrong from a practical perspective. Chrome can happily store your saved passwords on disk if you don't want to sync with a backend service. This adds minimal risk, since a rouge program that can read all your files is very likely to be able to fuck you even if the passwords are only ever temporarily stored in memory.
For the case of passkeys, expect the bad actors currently playing the phishing game to shift from getting you to enter your password on a fake site, to getting you to install an app that either triggers the push notification to send the passkey or has a way to lift the passkey off the device directly. And in order for this tech to be useful, it will have to be expanded to cover nearly all sites and services available on the internet. So phishing will still happen in the form of bogus sites and services getting past whatever app verification equivalent process Google tries to put in place for services that would like to integrate with their passkey provider.
My claim that the passkeys are strictly worse than passwords applies specifically in the sense that, as a form of authentication, passkeys do not prove that the person logging into the site is actually the person they say they are. Passwords prove that only in the case that no one, who is not you, knows your password. Passkeys only prove you are who you say you are in the case that no one, who is not you, can unlock or otherwise get access to your networked and only loosely secured smartphone. It is easier to hack or steal a phone than it is to read your mind.
Though I grant you the point that one doesn't always have to read the mind, only trick it into giving up the goods. Fair enough but that is still the owner of the password DOING something whereas phones can be broken into through the network, through something the user did (like downloading malware), or through something they didn't do or know to do (like downloading updates).
It can also be broken into by way of something the owner had no control over, like a supply chain attack on app or system updates, a compromised third party service for one of the legit apps you have installed, or a zero-day hack for an app or the system itself.
Those situations are exactly why password systems must be designed NOT to store the password on any devices, whether that's a file on a phone or laptop, or a cell in a database. Every time the password is written down, it is effectively already compromised as an authentication tool because it's no longer just something you know.