Or just use federated authentication ala log-in-with-X with non-SMS 2FA protecting the identity account. SAML, OIDC, and friends are immune to dictionary attacks, leaks, rainbow tables, cross-site re-use, and all the other password problems.
If you can trust X enough to not allow social engineering for password resets then it provides at least as much security as a memorized passphrase. Google provides Advanced Account Protection for people who really need it.
Hopefully most sites start allowing multiple federated identities per account so that anyone worried about keeping all their eggs in one basket can maintain and attach more than one identity.
For any X meeting the above criteria they're going to be a much harder target than any random online service accepting the federated credentials (this applies to insider threats and external attackers alike).
X doesn't exist for you? Help build it. There's no specific reason that Facebook, Apple, and Google should be the only trusted identity providers on the web, but they do invest significant effort in minimizing account theft and hardening their infrastructure, and most eat their own dogfood to protect their corporate assets. The big advantage that Apple and Google have is that they can tie identity to biometric and physical factors in a way that's hard for anyone else to achieve.
Once computing implants are widely in use identity can move to that but until then we have cell phones that, paired with U2F hardware, can be the root of trusted identity and (with a passphrase and lock screen timeouts) are practically immune to anything below state-level actors. 0-day exploits exist but they're sold to state actors and held in reserve.
Note: This only applies to online services. Memorize your device encryption keys for local data security; there's no way around that.
The problem is trust. What would you do if e.g. Google closed your account?
Something like easy to install on prem X speaking standard API with pluggable 2FA could be a winner.
If you can trust X enough to not allow social engineering for password resets then it provides at least as much security as a memorized passphrase. Google provides Advanced Account Protection for people who really need it.
Hopefully most sites start allowing multiple federated identities per account so that anyone worried about keeping all their eggs in one basket can maintain and attach more than one identity.
For any X meeting the above criteria they're going to be a much harder target than any random online service accepting the federated credentials (this applies to insider threats and external attackers alike).
X doesn't exist for you? Help build it. There's no specific reason that Facebook, Apple, and Google should be the only trusted identity providers on the web, but they do invest significant effort in minimizing account theft and hardening their infrastructure, and most eat their own dogfood to protect their corporate assets. The big advantage that Apple and Google have is that they can tie identity to biometric and physical factors in a way that's hard for anyone else to achieve.
Once computing implants are widely in use identity can move to that but until then we have cell phones that, paired with U2F hardware, can be the root of trusted identity and (with a passphrase and lock screen timeouts) are practically immune to anything below state-level actors. 0-day exploits exist but they're sold to state actors and held in reserve.
Note: This only applies to online services. Memorize your device encryption keys for local data security; there's no way around that.