Web passwords are the primary issue. Secrets that are local on your system with hardware enforced rate limiting, such as a pin on a yubikey, are reasonable. Pins are short and memorable. Passwords generally must be 256 bits of entropy and thus not easily memorable.
You can do FDE with a smart card+pin or smart card+biometrics depending on your threat model.
I consider a pin provided to local hardware or for local decryption different from the concept of a password as is widely deployed on every web service under the sun.
Services should never see your secrets though, only public keys.
I assumed we were talking about web passwords given that is the only scope FIDO2/passkeys cover.
> Web passwords are the primary issue. Secrets that are local on your system with hardware enforced rate limiting, such as a pin on a yubikey, are reasonable. Pins are short and memorable. Passwords generally must be 256 bits of entropy and thus not easily memorable.
I consider PINs, passwords and passphrases as the same thing, just different rules to create/input them. Numerical PINs might be easier to remember, but as with unlock patterns on a phone, it is also easier to casually observe someone entering and memorizing it.
Biometrics I am not a fan of, because they can be stolen without you noticing. With password you have to enter it in an untrusted environment, which takes more effort to setup. Also biometrics cannot easily be changed if they leak. And they also change with time and events involuntary and some people even have identical biometric data.
> I assumed we were talking about web passwords given that is the only scope FIDO2/passkeys cover.
The discussion started with wanting to replace all passwords.
IMO, 2FA via hardware key etc. next to a password/PIN it great, but IMO some kind of proof of knowledge can not be replaced by just a proof of possession.
You can do FDE with a smart card+pin or smart card+biometrics depending on your threat model.
I consider a pin provided to local hardware or for local decryption different from the concept of a password as is widely deployed on every web service under the sun.
Services should never see your secrets though, only public keys.
I assumed we were talking about web passwords given that is the only scope FIDO2/passkeys cover.