> For the dystopian cyberpunk future where a few companies rule the world, yup.
oauth with google isn't the only option. There are oodles of oauth providers out there, and you can even set up your own.
> Biometric traits are a big nono for me.
Nobody is talking about biometrics but you.
> And another device just shifts the password problem to said device
Passwordless doesn't mean 2fa, and even if you _are_ talking about another device, the other device doesn't have to require a password.
> (same for email account instead of device).
They're not the same actually, not at all. Firstly passwordless doesn't imply access to another _device_, (and even in the case of WebAuthn it doesn't even imply access to another service). The most common case of Oauth allows for the service provider to trust any number of providers, who may or may not require a password. It can be a hardware key, it can be a private key in software that a restricted process has access to, or yes it can be a password.
> Once someone has access to the device (secured via one password) they have access to everything.
If someone has access to your device and password, it doesn't matter if you use unique passwords for everything, pretty much every service in existence will happily let you reset your password with access to the original email account.
> So a normal trade in convenience for security.
Hard disagree here. My biggest risk vector is third party websites insecurely handling credentials and leaking them. If they require passwords, my password gets leaked, which means I need unique passwords per site, which in turn means I'm going to rely on software to manage those credentials for me. If I'm relying on software to manage those credentials for me, isn't it _more secure_ to reduce the possibility of human error, clipboard scraping, incorrect file permissions on my local uncencrypted file of passwords (because if it's encrypted I need a password for this too, right?)
If you google passwordless, biometric solutions are one way to go, hence I mentioned them, not because I wad trying to put it into your mouth.
If someone has access to my password they either got it by torture, a non or insufficient hashed store on the other end or by breaking encryption.
A simple dongle that may not even need a password, is easier to get.
2FA can make sense, passwordless does not.
The risk of 3rd party screwing up, doesn't go away, it's just shifted to another 3rd party, which again, you have to trust.
I use a different email address with a unique password for anything that's important and where another person having access could harm me. Forums and such are not a part of that.
So let's agree to disagree. I'll stay with passwords for everything that's important and for most things that are really important, apart from banking that is, I don't even have a 3rd party involved.
oauth with google isn't the only option. There are oodles of oauth providers out there, and you can even set up your own.
> Biometric traits are a big nono for me.
Nobody is talking about biometrics but you.
> And another device just shifts the password problem to said device
Passwordless doesn't mean 2fa, and even if you _are_ talking about another device, the other device doesn't have to require a password.
> (same for email account instead of device).
They're not the same actually, not at all. Firstly passwordless doesn't imply access to another _device_, (and even in the case of WebAuthn it doesn't even imply access to another service). The most common case of Oauth allows for the service provider to trust any number of providers, who may or may not require a password. It can be a hardware key, it can be a private key in software that a restricted process has access to, or yes it can be a password.
> Once someone has access to the device (secured via one password) they have access to everything.
If someone has access to your device and password, it doesn't matter if you use unique passwords for everything, pretty much every service in existence will happily let you reset your password with access to the original email account.
> So a normal trade in convenience for security.
Hard disagree here. My biggest risk vector is third party websites insecurely handling credentials and leaking them. If they require passwords, my password gets leaked, which means I need unique passwords per site, which in turn means I'm going to rely on software to manage those credentials for me. If I'm relying on software to manage those credentials for me, isn't it _more secure_ to reduce the possibility of human error, clipboard scraping, incorrect file permissions on my local uncencrypted file of passwords (because if it's encrypted I need a password for this too, right?)