Harder than in the past. Look at it another way, some time in the past using just a password would have been considered 'good'. Now, using just a password is not considered 'good' in many domains, not my mum's computer. In the future any password of a complication that could be remembered might be considered not 'good' enough. Someone in the future would probably look back and say what we use now is not good. It was only a short time ago people considered a password and an SMS good enough for banking.
> Look at it another way, some time in the past using just a password would have been considered 'good'.
Maybe, if I'm generous, the 1960s?
> In the future any password of a complication that could be remembered might be considered not 'good' enough.
Human memorable secrets weren't "good enough" before and they aren't "good enough" now and they won't become "good enough" in the future. This is not a novel insight even if it's new to you.
> It was only a short time ago people considered a password and an SMS good enough for banking.
Not "people", banks. Go back and look, the people who care about security would have told you SMS "second factor" isn't a good idea back then too, but the banks weren't looking for actual security, they wanted to reassure regulators and customers that they were on top of this.
It's that emotional support versus engineering viewpoint. The banks offered emotional support. Don't fret, we care about security and we'll make everything OK. Outfits like Google took the engineering viewpoint. Understand problem, identify solution, deploy it. U2F => WebAuthn. Emotional support is great when your dog died, while engineering is a poor substitute. But if a bridge fell down the emotional support rings a bit hollow, engineers can ensure the next bridge doesn't do that. I say user authentication is a "Bridge fell down" problem not a "My dog died" problem.
