Can someone help me understand the major reasons why some of the more prominent alternatives (or supplements) to password-based authentication are more secure than passwords?

In addition to a general answer, it would be awesome if you could confirm, deny, or complicate my assumptions about this topic (which are mostly just based on speculation). To keep it simple for myself, I’m trying to compare everything to “normal” passwords as much as possible.

1. It seems like many common methods, like FIDO or the “authenticator” apps, involve a backup password, and the authenticator apps encode their backup info in a QR code.

2. Because of #1, to a first approximation, it seems to me like using an authenticator app is basically like having an extra-long password that you write down and carry around, but that you can enter quickly instead of transcribing it. The password is also recorded in a valuable notebook, so people are maybe more afraid of stealing it.

3. Because of #1, to a first approximation, it seems to me like using a FIDO-type method is basically like having an extra-long password that you write down and hide in a safe place, and can only be used (but not stolen) by someone who has your phone. (Unless they find your hiding place.)

Am I way off base?

Topics: computers, software, internet, electronics, information, security, code