> Force you to use email or SMS as a "second factor" to unlock changing password even if you know the old password

Apple has detectors for codes sent via email or SMS, if your email account is one that is configured with the OS mail client.

> A stupid idea of password complexity usually requiring one of a finite set of 5-8 "special characters" which is often only revealed after you've chosen a password that doesn't have them. Or in some cases even banning characters other than the ones they check for. There's a standard for this where you put a regex on the password field, which a good password manager will always use, but the kind of idiots who think limiting the entropy of passwords to increase security is the correct way to do things almost NEVER implement this.

An AI agent can read the failure message and craft a new password

> A maximum password length, even as short as 16 characters in many cases

Same deal

> CAPTCHA etc.

While there's always the complex solution of scanning the image and trying to detect what is going on or slide the puzzle with enough of a curve to act like the motion of a human limb, there's also Private Access Tokens, supported by both Cloudflare and Google-provided captcha systems now IIRC. The OS uses an anonymous system to assert a single bit that there's proper browser chain-of-custody.

> Any effort spent on this would be better spent elsewhere, including even educating other companies on how passkeys should be used.

There are proposals as well to provide API to do upgrades from passwords to passkeys as well automatically. Nobody said the feature has to always use AI - but it may help the feature be robust enough for people to seek it out and try it.