@Leszek_Karlik A password is less safe than a passkey because it can be MITMed and reused. On entry it can be stolen if your computer is compromised or there's a camera watching you type. On receipt, it can be exfiltrated if the web server or its edge server is compromised.
Now, random PW+TOTP as you say, that looks more appealing the more I see how passkeys turned out. But with passkeys in the world TOTP support may not be an option in future (NPM recently put hard restrictions on TOTP use)
@Leszek_Karlik There was a period of some *years* that Twitter was, due to a "mistake"¹, logging every password as it came in from the login page, to a plaintext log file no one² realized was there. This single incident to me proves we want negotiate-shared-secret, not password-transmit, login protocols.
https://blog.x.com/official/en_us/topics/company/2018/keeping-your-account-secure.html
¹ IMO the chances are exceedingly high the "mistake" was inserted on purpose by an employee working on behalf of a nation-state actor
² Except the nation state actor.
If you have a fediverse account, you can quote this note from your own instance. Search https://mastodon.social/users/mcc/statuses/115663988399111486 on your instance and quote it. (Note that quoting is not supported in Mastodon.)
