Besides pairing devices, there isn't a lot of actual use cases for balanced PAKEs.
Some PAKEs have the interesting property that passwords are never sent to servers.
Which is definitely a good thing. Insider threats and excessive logging are real threats, and passwords can be leaked before being hashed.
However, these PAKEs still don't prevent brute force attacks. Sure, every attempt requires an interactive protocol. But if you are operating the server, or have a copy of the database (including keys for salt-hiding PAKEs), that can be done locally, and the PAKE doesn't provide any value.
What I would love to see is a standard scheme that requires at least a third party. A multi-party computation, relying on servers operated by different entities, that don't know about each other's secrets, and can be semi-honest. So, if any of these parties gets compromised (even internally), this doesn't reveal anything about passwords or the data held by the other party.
All the pieces to build this exist, but an actual protocol doesn't.
Some PAKEs have the interesting property that passwords are never sent to servers.
Which is definitely a good thing. Insider threats and excessive logging are real threats, and passwords can be leaked before being hashed.
However, these PAKEs still don't prevent brute force attacks. Sure, every attempt requires an interactive protocol. But if you are operating the server, or have a copy of the database (including keys for salt-hiding PAKEs), that can be done locally, and the PAKE doesn't provide any value.
What I would love to see is a standard scheme that requires at least a third party. A multi-party computation, relying on servers operated by different entities, that don't know about each other's secrets, and can be semi-honest. So, if any of these parties gets compromised (even internally), this doesn't reveal anything about passwords or the data held by the other party.
All the pieces to build this exist, but an actual protocol doesn't.