I want my login credentials synced to all devices, and to not need an extra piece of hardware.
Until Android and Linux can somehow sync, I'd much rather have Passwords that Bitwarden can easily manage and sync.
Passwordless will be great eventually but it doesn't seem to be ready for general use yet. We need APIs for apps to be able to provide virtual software implemented authentication the way password managers currently provide autofill.
Otherwise, you're stuck with either no sync, or some OS provided sync solution locked to one company.
Bad passwords aren't really an issue unless you're manually creating and remembering them.
We just need to stop the losing battle of telling people to make their own secure passwords out of words and numbers, and focus on password managers and 2FA.
But in what way does this do any better than 2FA security wise, aside from convenience? imo 2FA is already overkill. I think the real reason they want this is it makes it easier to push federated login, easier to connect data points to a single identity for advertising.
My stance on this is that I refuse to use any sort of biometric login or service. I refuse to use any product that has it as a strict requirement
On the issue of "federated login", though, I think that modern efforts to replace passwords do consider the threat model of adversaries trying to correlate your identity between sites, so the standards at least support you using unique keys between sites. If Apple wanted to track which sites you were visiting, it probably has simpler ways than subverting the login process, so I would need extra evidence to believe that was the danger/intent here.
[0] I've argued elsewhere that the requirements for supporting "device attestation" mean that we are effectively building DRM for human identity, with all the scope for abuses that that entails. Here's a Twitter thread that makes this point very well:
