I learned way too late in life that no one likes a know it all. Pretending you don’t know stuff makes people more willing to help you.

In my opinion, somewhat. Tokens that expire can’t be used persistently for exploitation, but if an attacker was able to obtain said token, why wouldn’t they be able to continue obtaining new ones?

Passkeys are the perfect antidote, but their adoption has been hindered by a lack of understanding of how they work, where they’re stored, and a renewed SSO tax, among over factors.