Signing In Sux: How We Move from Passwords to Biometrics
Every few days somebody asks me why we can’t just eliminate passwords and replace them with fingerprints.
TLDR we’re (mostly) gonna do it, but it’s gonna take awhile. So grab a cold drink and let’s walk the path to a glorious, passwordless future.
I hate passwords with a white hot passion, but as with most things other than vampires, there’s a lot of hype but no silver bullet solution.
Passwords are clunky and terrible; biometrics are convenient and sci-fi cool. So why are tech companies too stupid to move us onto them? Because single-factor authentication is waaay worse for security so we still need a second factor.
Backing up, “Authentication” means proving who you are by asserting an identifier (usually an email address, ph# number, or arbitrary handle like @mrisher or mark risher) and a “challenge” that only the true owner of that ID should have.
Long ago, scientists decided there were three categories of auth challenges: something you know, something you have (possession), and something you are (“inherence” for the wonks out there; “biometrics” for the rest of us)
The problem with knowledge factors like passwords and PINs is that knowledge is transferable. Language is great for human (and dolphin) civilization, but it also enables hackers to steal your password and pretend to be you.
And since many of us reuse passwords on sites that inevitably get breached, if a password is the only thing between a hacker and your Crown Jewels, as soon as a hacker knows it, you’re “owned.” So we all want a second factor.
When people hear “second factor,” most think of a code sent to their phone. We’ve talked about why SMS 2FA and apps that ask “Are you trying to sign in” are better than nothing but no longer state-of-the art.
Security keys are better, but the rub with all these “something you have” factors is they can get lost/stolen, so you still want a 2nd factor (that the “2” in “2FA”) If possession is all it takes, you’re in a bad place if anybody swipes your phone
The same goes for single-factor biometrics. We leave our fingerprints everywhere, and it’s expensive to make a face sensor that can’t be tricked by a sleeping person, mask, or printout.
You wouldn’t want a stranger with a mask to walk into an Apple Store and get access to your data, so biometrics work best as a *second* factor: Your face/fingerprint combined with *the specific phone you’ve already set up*
(By the way, this isn’t a theoretical possibility; science has mostly caught up with Mission Impossible)
IOW, we wouldn’t want to just *replace* passwords with biometrics, but we can move from passwords to biometrics+something. And we finally have a viable “something.”
So what’s the plan, Stan?
Easy: Sites need to adopt “webauthn,” a new standard allowing biometrics on your phone to unlock a website/app. Along with OpenID Connect (the tech behind the “Sign in with Google” button) these can offer secure+convenient authentication for any site or app.
If you run a site with username+password, upgrade to these technologies! They’re more secure for you *and* more convenient for your users, outsourcing the hard bits & streamlining the rest.
And in the meantime, everyone needs to get on the autofill/password manager train! If you memorize passwords, it’s too tempting not to reuse them across sites, and eventually you’re gonna be phished on one of those sites. All of us can be phished.
Password managers also up your game against phishing, because they match the site you’re on before entering the password. It’s not foolproof, but your password manager is much less likely to get tricked by “paypa1”
Google Chrome and Android have autofill built in and shared across all your devices for free, and together with g.co/securitycheckup will automatically help you fix any breached, reused, or weak ones. 1Password and Dashlane are also popular
Swapping pwds for biometrics isn’t the answer, but biometrics are coming via webauthn, and combined with “Sign in with Google” and your password manager, we can be all safe and secure and barely have to think about passwords anymore.