@nikitonsky they are cryptographic credentials (so server side only includes your public key, no leaks) whose evaluation also involves web origin (so no fishing possible, like u2f second factor). Downsides: they are bound to their storage, you can't write them like a text password (hi Google on TV) making backing up not as easy. Having them in a password manager is already kinda close to regular passwords, but not quite.