Hi @leonfeng, because virtually every service uses email-based password reset, passwords are essentially meaningless. They add a ton of vulnerability (passwords can be guessed or cracked) without adding any real security.
Even if you have the best password on earth, there will still be an email recovery option, so all of those issues with SMTP mentioned in the article don’t seem to be relevant here.
Your packet capturing situation is relevant, and having to use email auth to sign in to a new device marginally increases the likelihood of interception. A majority of people use either Gmail or an Apple mail app, both of which encrypt emails in transit. The “at rest” risk would imply either you’ve compromised the mail server or you’re a government powerful enough to force companies to hand over your email.
So balance that tiny increase against risk against the massive risk associated with people using bad passwords, and I think you’ll agree that passwordless is much safer.
Regarding your password manager argument, I use a password manager and it’s a pain on mobile. I have to use my password to sign into it, then copy/paste the password into the form. This takes around a minute. I think getting a one-time email to authenticate the device would be much faster for me.
The only situation where I think passwordless would be considerably slower would be if you always clear your sessions or always surf incognito, which would mean you’d have to reauthenticate every time you visited freeCodeCamp.org.