This is a comment I've added to this post on dev.to https://dev.to/kevincox/maybe-passwords-are-the-future-4gdl I think it may be interested to Hacker News readers.<p>I don't think that passwords are needed at all. The reason they exists is to verify that you are you. There are better way of doing it. But I yet to see good solution.<p>The problem the password solve is that you say once that you're you and then again you verify that you're you. But password are solution that are create very long ago, when there were no other way of authentications.<p>I think that 2FA solution where 2nd A is the only A is the way to go. But it need to way better automated so it have better UX.<p>I was once thinking about Personal OAuth solution, where user browser act as OAuth provider that can verify that she is she. Or something like LastPass but that will allow to register to the service, not only store passwords.<p>All those password managers are just a patch/hack on broken system with password. It would be easier to just remove all password and start a better way of user authentication.<p>Solving password problem is great way to start a new Startup around the idea. Having app on a phone that act as OAuth with single button sign in like with physical Token would be really great idea for a startup that will get rid of passwords. Since with 2FA you actually don't need that 1st step with password. The app will only work similar to LastPass, Physical token and Authenticator App.<p>The flow can work like this:<p>* You login on a website with email or username only<p>* Request is send to the service<p>* Popup show up on your phone (that can be restricted with PIN, like Bank mobile app of someone want better security)<p>* User tap the button<p>* Service authenticate the user on the site<p>To resister to a website:<p>* You type username or email and QR Code show up on the screen<p>* You scan the code with the app<p>* And you only need one password for the Service. This can be called 2ndFA Second Factor Authentication.<p>The normal process of registration with password and email will only happen with The Service.
- Krypton was a U2F/WebAuthn emulator as a browser extension, controlled from an app on your phone (now part of Akamai) [they also handled SSH auth with a PAM plugin]<p>- MYKI kind of did this scanning barcodes thing (part of something else now or at least closed down)<p>- Countries with national ID schemes can do most of this via SmartCard or SIM.<p>- Client certificates would have been great for much of this but browsers have completely killed the usability for them.<p>- Think GLUU was doing something along these lines as well<p>Passwords can be easily stolen, bruted or guessed, en masse and remotely, but stealing phones, security keys, smartcards is way harder. So that's the only reason for 2FA. Regrettably few use 2FA without being forced into it.<p>But what's the redundancy going to be? I'm going to have two phones? How do I verify myself if I need to setup a new phone for auth? Can I backup my auth? And how am I authenticating to apps/sites on the phone itself?<p>Registration shouldn't need any input like user/email. That should just be sent when you scan the QR code (Phil just scanned our code, either sign him up or log him in if he has an account).<p>But in the end this has to be something that can work standalone/off-line and users shouldn't be tied to one identity/auth provider (it should be portable).<p>I know this a lot of rambling, I've been up for 20 hours :/