“Passwords are fine” only in a theoretical world where everyone uses passwords “correctly” and securely. But in the real world people don’t, so passkeys are a much better and easier method.
I fail to understand how educating billions (?) of people about proper password hygiene is faster or simpler than moving all authentication to a “tap this button to magically log in” method.
I think the main problem is that SMS sender numbers can be easily spoofed (might depend on country, operator, …), so relying on “this message came from where it says it came from” is not really possible.
It might not be an issue for some types of usage, but sounds risky if used for account security/recovery/etc.
This is not specifically about Cloudflare’s “challenges“/etc, but —
The reality of operating a big site/service on the internet in 2022 is that it’s sometimes necessary to use methods that annoy a few people (with very non-standard browser settings) in order to protect the service as a whole from a million bots trying to attack it at any given time.
In Estonia, you can link a phone number to your IBAN. When making payments, the sender just needs a phone number, and the corresponding IBAN is automatically looked up. (The lookup service is managed by the central bank, and used by all (major) banks.)