Sure we can. Every website can implement good password security. Every user can use a strong, unique password.
The experiment is only happening because, if everything goes perfectly, security is achieved!
But the results are in. People don’t. Websites don’t.
I’m looking at this as a student of history. Indeed it would be great if we could live in a passwordless world. That is a very real and likely possibility.
In 200 years will people still be fumbling around with passwords? When the more time that passes, the more predictable the passwords become, its pointless.
The concept providing a secret in order to authenticate, thats not going away. But the human element in creating and remembering that key, that will definitely go away.
I know its hard to imagine it right now, its hard to escape our current reality, but if there is a more convenient way to authenticate that is also more secure, it will be done.
Another thing that will probably change is every website authenticating you. Its not really the job of a website to authenticate you.
When something like OpenID connect gets its shit together and becomes effortless to implement, why would I ever opt to handle the authentication of some random people logging in to comment on my blog article?
If I’m a security hobbyist, alright. Assume my blog is about cooking recipes though. I just write posts about food. I don’t care how you authenticate, and I don’t want to fool around with managing your password recovery workflow or be responsible for any of that.
You see what I mean by it not being a website’s responsibility to authenticate you? So many websites do it wrong, that I don’t think the answer is to educate all of the different websites how to do it right. Their website isn’t about ‘how to correctly authenticate’. For most websites out there, the ideal solution is to not handle authentication.