PIN+limit is still a much worse user experience than a password:
- a PIN is hard to memorize, so people are more likely to use personally-relevant or common numbers, whereas a password can be easily be both complex and memorable
- it's easy to burn through even 10 login attempts through any combination of temporary/permanent disability, stress, being drunk, damaged device...
- a wipe-after-failed-attempts system is trivial to abuse, be it by a prankster or a real adversary
- it's much easier to see someone's PIN over their shoulder or film them entering it
No, because passwords are just something-you-know (one factor) while a passkey that’s protected with a password is both something-you-have and something-you-know (two factors)
No, because a password manager still just stores passwords (one factor!); if someone got that password they can get in
The whole point of a passkey is that it’s something you have, not know:
- you can’t guess it because it’s a really long encryption key
- you can’t phish it because using a passkey does not give the passkey to the site, it just proves that you have the key (typical priv/pub key auth)
- you can’t steal it because passkeys are meant to never be moved from the device — it’s supposed to be impossible to extract them, as they’re supposed to live on a secure enclave type chip that is impossible to extract from
- a PIN is hard to memorize, so people are more likely to use personally-relevant or common numbers, whereas a password can be easily be both complex and memorable - it's easy to burn through even 10 login attempts through any combination of temporary/permanent disability, stress, being drunk, damaged device... - a wipe-after-failed-attempts system is trivial to abuse, be it by a prankster or a real adversary - it's much easier to see someone's PIN over their shoulder or film them entering it