Most attempts to love away from passwords are direct attacks on anonymity. Email verification (hard to avoid now), adding your phone number, putting an app on your phone complete with verification data. They work great when you need to identify your actual person rather than just someone authorized to use the account.
The better, newer stuff is WebAuthN-based where you also register a public key and retain a private key. This has caught on in some spaces but should be promoted, particularly as a version using open software (and open hardware if it's based on a USB key) where you personally generate the private key. Unfortunately that's usually reserved for dev kits because the immutability of your key is supposed to be a security feature, though that also makes it a black box that could've been tampered with without leaving behind much evidence.
The other major issue is availability. What happens when you lose the key? You still need backup auth like an email account if you haven't kept your private key backed up somewhere - the standard is to invalidate the public keys and then buy a new one. This is well beyond the hassle most people will put up with to get access to bringmefrozenyogurt.com.
The better, newer stuff is WebAuthN-based where you also register a public key and retain a private key
This doesn't seem particularly friendly to lay-users unfortunately. Don't know how you'd get someone whose password is password123 to get the basics of private key auth
It's getting nearly friendly. The core workflow is to buy a yubikey, enable webauthn at the website you're logging into, and plug in the yubikey. Next time you log in (even with password123), it asks you to plug in the yubikey.
If websites make the registration part more obvious / default, it'll be as close as it can get to user-friendly.
The next hurdle is getting grandpa to register 2 keys in case he loses one...
In my experience the u2f key workflow falls apart on devices that don't have USB-A ports, like mobile devices, game consoles, smart TVs, certain years worth of MacBooks, etc
Most attempts to love away from passwords are direct attacks on anonymity. Email verification (hard to avoid now), adding your phone number, putting an app on your phone complete with verification data. They work great when you need to identify your actual person rather than just someone authorized to use the account.
The better, newer stuff is WebAuthN-based where you also register a public key and retain a private key. This has caught on in some spaces but should be promoted, particularly as a version using open software (and open hardware if it's based on a USB key) where you personally generate the private key. Unfortunately that's usually reserved for dev kits because the immutability of your key is supposed to be a security feature, though that also makes it a black box that could've been tampered with without leaving behind much evidence.
The other major issue is availability. What happens when you lose the key? You still need backup auth like an email account if you haven't kept your private key backed up somewhere - the standard is to invalidate the public keys and then buy a new one. This is well beyond the hassle most people will put up with to get access to bringmefrozenyogurt.com.
This doesn't seem particularly friendly to lay-users unfortunately. Don't know how you'd get someone whose password is password123 to get the basics of private key auth
It's getting nearly friendly. The core workflow is to buy a yubikey, enable webauthn at the website you're logging into, and plug in the yubikey. Next time you log in (even with password123), it asks you to plug in the yubikey.
If websites make the registration part more obvious / default, it'll be as close as it can get to user-friendly.
The next hurdle is getting grandpa to register 2 keys in case he loses one...
no one is gonna go out to the store and buy something to sign up for a website
In my experience the u2f key workflow falls apart on devices that don't have USB-A ports, like mobile devices, game consoles, smart TVs, certain years worth of MacBooks, etc