I thought the same for a long time but now i don't know. If your computer is compromised, they can exfiltrate your password, but with a hardware key they can't, so i think that's legitimately more secure than password+otp. It still needs a pin though to protect against device theft. I bring this up because there's been a ton of compromised developer packages recently and windows itself is being attacked so even if you're pretty good about protecting yourself, you still might get screwed.

▲

nvme0n1p1 5 days ago | parent [-]

If your computer is compromised, the attacker can just as easily read your email.

OTP can be used with a password.

▲

hdjrudni 4 days ago | parent [-]

Uh huh? That's why I specifically said hardware key. Like a Yubikey. You can't digitally steal that.

	▲	akimbostrawman 4 days ago \| parent [-]
		That doesn't address anything. If your device is compromised they do not need your hardware key because they can just read all mails on device or steal login/session cookies for accounts and bypass authentication. Passkey is still inferior to U2F + password anyways.