> think this is mostly solved, or at least greatly mitigated, by using a Slack-style magic sign-in link instead of a code that you have the user manually enter into the trusted UI.

Magic links are better than codes, but they don't work well for cross-device sign-in. What Nintendo does is pretty great: If I buy something on my switch, it shows me a QR code I take a picture of with my phone and complete the purchase there.

I agree it is "mostly solved" in that there are good examples out there, but this is a long way from the solution being "best practices" that users can expect the website/company to take security seriously.

> a. This is already the case as long as you have an email-based password reset flow

I hard-disagree:

If I get an email saying "Hi you are resetting your password, follow these directions to continue" and I didn't try to reset my password I will ignore that email.

If I have to type in random numbers from my email every few days, I'm probably going to do that on autopilot.

These things are not the same.

> anyone who possesses and is logged into the user's phone or laptop (the usual prerequisites for a possession-based second factor) can also get their password.

I do not know what kind of mickey-mouse devices you are using, but this is just not true on any device in my house.

Accessing the saved-password list on my computer or phone requires an authentication step, even if I am logged-in.

I also require second-authentication for mail and a most other things (like banking, facebook, chats, etc) since I do like to let my friends just "use my phone" to change something on spotify or look up an address in maps.

> Most websites should not be in the business of trying to use knowledge-based authentication on their users, because they can't know whether the secret really came from the user's memory or was instead stored somewhere

They can't know that anyway, and pretending they do puts people at risk of sophisticated attackers (who can recover the passkey) and unsophisticated incompetence on behalf of the website (who just send reset links without checking).

> Websites should instead authenticate only the device, and delegate to the device's own authentication system

I disagree: Websites have no hope of authenticating the device and are foolishly naive to try.