While I would rather use a password manager myself to keep accounts separate and not reliant on a single big tech account, I’m sure your average user would love the convenience of this and its overall security benefit would be a positive
It's much more likely for the average user to forget their password than have their account banned deliberately. This would, overall, reduce friction when logging in.
As far as I can tell this doesn't actually require a "big tech account".
I am imagining this working like OTPs that are generated on phones. The actual standard will be open and the implementations do not require a specific platform or any kind of "account", but most people will run it on their phone with Android or IOS because it's handy for them.
I also don't think it's going to require running on a phone, just like OTPs. I can generate OTPs for 2FA purposes on my desktop system running Linux and it works great!
If it does end up working like that, I think it's a great idea.
It doesn't require one from a technical perspective as you've pointed out, but every business incentive is to lock people in to accounts. It makes it easy to collect data on the users, to enforce payment by locking accounts, etc.
I too prefer offline-first tools, but the market doesn't, and people are trained to sign up with an email account and password so for the masses "this is just how it is".
I don't want to be a pessimist, but examples of user respecting systems are mainly commonplace in certain corners of the highly technical FLOSS world, it's certainly not the experience of the average person.
The villain is locked in in a room which requires a retinal scan from the guard to leave. So he proceeds to stab the eye globe of the guard with a pen to be able to unlock the door.
As such I tend to prefer cloneable credentials. Everything that is unique (cellphone, ...) would imply that access credentials could be stolen (as in, actually stolen, not copied), which could imply the threat of violence to succeed.
I would much rather someone attempt to steal my phone irl, as opposed to someone on the other side of the globe cloning my method of accessing my accounts without me even being aware until it's too late.
To clarify, this wasn't meant as an attempt at a "tough guy" acting. If someone tries to coerce my phone out of me irl by threats of violence, they will get the phone. But this being done irl at least has much easier path to being able to trace the criminal, actually prosecute them, and to minimize the damage to my accounts.
Not even mentioning that it is much more risky for them to attempt, given it would have to be done somewhere around a public place with other people and law enforcement around. Meanwhile, some guy from an eastern european country cloning my access credentials to compromise my accounts will almost certainly never be traced, and 100% won't get prosecuted (and that's on top of me not being able to be aware of that happening until after the fact).
