The calm before the storm
> eliminating passwords from the user authentication process reduces the damage from list-based attacks, and from a usability perspective, providing an authentication method that does not rely on remembering passwords
Well, yes. But only because there is an inevitable lag between someone introducing a new security feature and the baddies exposing its weaknesses. Although it seems to me that FIDO / SMS based authentication does little except make users even more dependent on technology and extends the length of the chain of events. So rather than having people contain their passwords in their own memory (brain) and then use their own fingers to enter it, there are now several electronic systems that the authentication data has to pass through, first. All of which have to be working, secure and kept up-to-date.
None of which are under the control of the user (which admittedly, might be a good thing!)
And that is presuming you don't lose your phone, go somewhere that cannot receive the messages, allow your battery to go flat or break it. ISTM all this does is trade one set of potential problems (hacks, forgotten passwords) for a different set.