Great read!

Do you think that any of the proposed changes could be used as an exploit? For instance, if I can try the passkey, then change the account to refresh my tries, and then come back to the previous account and try it again — I could use this to break the system (6 input combinations are not that many). Could we do something to either prevent it or forbid it?

At the same time, as we make “password screens” more UX friendly, in general, don’t we make it “easier” to exploit?

Thanks :)