If you'd take a passwordless login with FIDO2 (now promoted "Passkeys" by Apple and Google) it would mainly require to use FaceID / Windows Hello / Fingerprint / PIN ... or whatever your devices deem necessary. Could be used on any and cross-device.

This may be a good future. But it seems like this isn't available to most people on most browsers yes. Especially if you want to sync across ecosystems.

I like how tangible passwords are. Even with a password manager I can write them on a piece of paper, store then in a vault and enter them into a new computer. My grandmother understands this process.

The key-based systems are basically magic. Magic that works great as long as you are inside the defined parameters on supported devices. I think it will be years after the "first baked release" before we see relatively user friendly manual backup and restore. Something this is second nature in most password managers.

I'm glad that your grandmother uses a password manager. We actually had a lot of feedback from teens and children and the concept of MFA/2FA seems to be hard to understand for less technical people. We were surprised by the actual understanding after some user research.

Yes, availability on all browsers and devices is not yet up to 100%. I hope to see a fast adoption, but agree that it could actually take some time. I use Passkeys on a daily basis for the last ~1.5 years wherever possible and won't go back anytime soon :)

Chrome supports a webauthn solution built-in if you don't have windows/platform authentication support. I think Firefox does too, and probably even Safari on really old machines. If you are targeting semi-modern browsers and devices made in the last 5-10 years, you should be fine.

Yes. To my knowledge WebAuthN works great on Chrome, Safari, Firefox (most times) on MacOS/iOS and Windows devices. Linux is still an issue unfortunately as it seems.

Opposite of what I'd expect.

> Why not? Most browsers are slowing pushing password managers on users and the experience is lovely.

Most browsers in 1996 had "save this password" functionality... it's not a new thing.

I think it has gotten more aggressive with popups to use a generated password appearing any time you focus a password field.

This is a perfect HN user response. You are a power user; "This is even worse if I am using a per-site email address" - no one does this. The majority of people are normal.

Sure, but that barely changes the equation. Just a minor improvement over the power-user case.

> Do you not have to enter email on register?

Yes, I have omitted this from both workflows.

> Where is the email confirm step for password signup?

Good point, most websites will want to confirm the email address. I didn't include that.

> Finding the tab you just opened and dragging it... really?

Yes, I like to keep my tabs organized. I'm not even a tree-sytle-tabs user but at least want to get the right window. The point is that magic links disrupt my in-browser workflow with switching between apps and opening links in new tabs.

> is a magic link really so difficult to use twice a year?

No, but it is still more difficult than a password multiple times a year. Neither of these have a yearly cost so it doesn't really matter how often you do them. I wouldn't use "only twice a year" to justify that people can come to our office in person to authenticate over a magic link.

> > Do you not have to enter email on register?

> Yes, I have omitted this from both workflows.

You specifically complained about having to enter your email on the magic link flow:

> 1. My email address never auto-fills so I need to click the field and select the completion suggestion. This is even worse if I am using a per-site email address.

> > is a magic link really so difficult to use twice a year?

> No, but it is still more difficult than a password multiple times a year. Neither of these have a yearly cost so it doesn't really matter how often you do them. I wouldn't use "only twice a year" to justify that people can come to our office in person to authenticate over a magic link.

Yearly costs to who? The user? I guess there isn't really a cost to them other than storing/keeping the password but there is absolutely a cost to the developer and I'm not talking about the cost of storing a hashed/salted password in the DB itself. There is a cost to build and maintain a password-based system. It means implementing and maintaining a number of things like your salt, password complexity requirements, password reset flow, and more like you going to use something like HaveIBeenPwned's hash list to make sure people aren't using known passwords?

Passwords are not zero-cost and have ongoing concerns. I'm not saying magic links are always or even often the best choice, just that they do have a perfectly valid use-case.

> but there is absolutely a cost to the developer and I'm not talking about the cost of storing a hashed/salted password in the DB itself. There is a cost to build and maintain a password-based system.

Seriously ... if today's developers are unable or unwilling to learn about basic hashing/salting and database storage/value comparison, and consider such concepts 'costly' ... we may have passed the zenith of technological advancement, and are in a 'downfall of the Roman Empire' phase. Have some pride in your work.

> It means implementing and maintaining a number of things like your salt, password complexity requirements, password reset flow, and more like you going to use something like HaveIBeenPwned's hash list to make sure people aren't using known passwords?

Do you reinvent the wheel whenever you need to drive somewhere? these things mostly are already baked into most frameworks, and if they are not, most developers build something like this once, and reuse.

> [Magic Links] they do have a perfectly valid use-case.

Annoying customers and forcing them out of your business into the willing hands of your competition?

It's amazing how you, knowing nothing about my stack/use-case can speak with such authority. Going as far as to assume that we must be in a "'downfall of the Roman Empire' phase" because I see value in magic links and because I don't want to implement password support, again, in a product you know nothing about.

I have a very good reason for picking magic links, also the codebase for my project does not ruse a framework (there exist no good ones in the space I'm in) but instead of being curious you decided to be condescending. Cool.

> You specifically complained about having to enter your email on the magic link flow:

For logins yes:

> My email address never auto-fills so I need to click the field and select the completion suggestion. This is even worse if I am using a per-site email address.

My email always autofills for regular login forms. Maybe this is a bug in my browser but either way it is an inconvenience that I face.

> implementing and maintaining a number of things like your salt, password complexity requirements, password reset flow

If you are using any halfway popular language there is a library that does all of this for you. In fact it is probably easier to use a pre-packaged library than for magic links, but I'm sure those libraries could appear if magic links become more popular.