That is confirmed in the "How does this work?" section. Your concern is addressed in the "Why is this important?" section. The key is definitely more secure against cracking than a password. It is more vulnerable to being physically stolen, but for most people, that is a lower risk.
Friends or family can't read your mind, but they can steal your physical key.
People putting pins on their phones or password on their laptop are not afraid of being pirated. This is a vague, abstract threat to them. Becoming part of a botnet is really not important to them, and they getting their credit card stolen from the web is really not credible enough for non tech saavy user.
What they are afraid of is other people looking at their stuff. Internet history. Pictures. Their clear text personal document.
Beside, a key is annoying. Where do you think they will store it when they travel ? In the same bag than the laptop. So you steal the bag, you steal the password.
Friends and family can also steal your credit card, but this is not where the majority of credit card theft comes from.
Your example of people leaving the key with the laptop is a good example of one of the potential flaws, but just like if your credit card gets lost or stolen, you report it and it becomes unusable.
I agree that there is room for 2FA, but this is also surely preferable to the current system.
> Friends and family can also steal your credit card, but this is not where the majority of credit card theft comes from.
This is a false equivalence because knowing someone's credit card data only allows you to do one thing which happens to be pretty detectable: using their credit card for yourself.
Knowing someone's password allows you to know one or more of their secrets, including many applications that are virtually untraceable for the average user. So the deterrence factor is much lower in the second example making it much more likely that a nosy parent / sibling / SO will take a person's key.
> There's no reason that using a password/key can't be just as detectable as using a credit card.
That's not my point. The status quo is that people get alerted if something uses their credit card inadvertently and don't have similar alerts for uses of their password other than in a handful of situations like Gmail logins.
It's definitely not impossible for people to keep tabs on their logins, but this isn't how the Average Joe operates.
Switching to a hardware based login system and getting centralized alerts when that login is used is likely going to be the default, not some pipe dream.
Plus, there's also the obvious solution for potentially stolen and misused keys .. just add a PIN.
Anyone in the world could crack your password. (Well, any of 2.5 billion people with an internet connection.) Requiring a physical key instead cuts the attack surface down quite a bit. If you can secure your car and house keys, you can secure this.
You use it much more often than those keys. And really people don't care abou being pirated by a stranger. Theyvcare about their spouse leeaning you still talk to your ex. Or your sibling getting a picture of you that is embarassing.
I think you should elaborate on the specific threat model you're describing. Are you assuming a dumped database? Or are you talking about a brute force against an online service?
That is exactly the question a user should ask themselves. I can't answer it for anyone else. But for your two cases, the key is more secure because there is no relatively short password that can be guessed. An attacker has to brute force the cryptographic key, which should be infeasible. Passwords are easier to crack online or offline, unless you've picked a password with 112 bits of entropy.
>brute force the cryptographic key, which should be infeasible.
Not only infeasible - physically impossible, in fact (barring quantum computers). Just 128 bits of entropy would take 1e16 (10 quadrillion) years to brute force at 1e15 attempts per second. :)
