Today we seem to be living through a war on passwords. This is manifested in
various ways; in its most passive form, it takes the form of people blogging
about how passwords are bad. The more material changes are the general trend
towards no longer treating passwords as a sufficient condition for access in
favour of either mandatory “2FA” or, where 2FA is not used, risk-based
authentication, in which some extra authentication step is
non-deterministically and randomly demanded.

This step is commonly something like “enter the code in an email we just sent”
when trying to login. Since this process is literally the same as most password
recovery processes, it raises the question of what the point of a password is
in the first place if you always have to go through this process when trying to
login.

Often this will be combined with fallacious notions such as “remember this
device”, the idea being you only have to go through all this the first time when
logging in from a particular device. This idea is fallacious because the web
has no notion of a “device”, and this is a very intentional design choice
made for privacy purposes. We are literally living through the gradual
phase-out of third-party cookies, amongst other functionality, specifically to
try and prevent this sort of thing, so why do web developers persist in
believing in this fiction of a “device”? My own browser erases all cookies from
an origin immediately after the last tab from that origin is closed, so these
sites are convinced I am logging in from a new “device” every single time, and
then demand I respond to one of these challenge emails.

Essentially these sites consider passwords so worthless as a form of security
that they essentially don’t meaningfully allow people to have one anymore. The
login flow and the password recovery flow are essentially the same, the UI just
pretends otherwise. Other examples include PayPal, where you can literally
enter a credit card number to prove your identity and reset your password(!).
In other words, knowing your credit card number is considered a stronger or
equal proof of identity than either knowing your password or being able to
receive an email.¹

While at the same time every website for the masses now seems to be designed
around the assumption that everyone is going to set their password to
“password1”, web-based HTTP APIs are also widely popular nowadays. These
services almost invariably perform authentication via use of a token or “API
key”.

An API key is basically a password, except that it is randomly generated by a
website with a large amount of entropy and thus assumed to be secure. A given
website might obnoxiously refuse to trust in my ability to set a secure
password, assume the 24-character randomly generated password I keep in my
password safe is insecure, and demand I complete an email challenge every time
I login because I actually bother to exercise control over browser privacy and
persistent cookies, yet that same website is happy to let me authenticate using
an API key for API access as a single authentication step. No “2FA” here.

API keys are used to secure the highest-stakes APIs that exist today — all of
AWS’s services, for example. Yet while API keys seem to be considered an
entirely reasonable and indust