- secrets are not static, unlike passwords, reducing risks from logging/monitoring code or certain types of keyloggers (especially hardware keyloggers)
- secrets cannot be human-generated and are known to be high-entropy (password managers can also effectively ensure this)
- secrets cannot be shared across multiple websites (password managers can also effectively ensure this)
- you can revoke access to someone's future ability to authenticate without having to change passwords
Depending on exactly how you choose to implement it (namely, how you choose to set up Slack logins/SSO), you might also get
- login effectively requires attestation of identity that are independent of "knows a secret," such as "has a certain physical object" or "is coming in from a particular network" or "passes certain behavior checks/hueristics"
You don't get
- long-term secrets cannot be stolen by malware because they are fixed in a physical object
- the 2FA mechanism is capable of authenticating only to the specific website, eliminating phishing risks (password managers can also effectively ensure this)
but if you're not using a hardware code generator (and possibly not even that, see also the RSA seed breach) or a WebAuthn device, you aren't getting those anyway.
