One year on from the Heartbleed episode, we see more and more reports of passwords being stolen. Every time it happens some commentator or vendors will come forward and say biometrics are the answer.
They are not…
… at least not yet. Here’s why. Most users will use passwords in at least two different scenarios:
- Local device logon. The (username and) password you use to logon to the computing device you want to use. For example your logon password for a laptop/PC or the PIN number for a mobile device.
- Remote Access. For example the password to gain access to a web site, via the web browser application.
For local device logon, I am content with biometrics (if implemented well.1). I use biometrics via the built-in reader in my Dell laptop to login to Windows.
It’s remote access where I have the issue. In the majority of applications, the biometric is used to unlock access to a local password manager. The local password manager2 then uses a pre-stored password to gain access to the site. I.e., this is not a biometric solution at all, but a password manager with a biometric to unlock the password vault. SO all the issues with passwords stolen for the server remain; all the issues with brute force attacks remain and if the user is not savvy the complexity and uniqueness arguments remain too.
My concern – marketing will drive many users into a false sense of security. This is back to the “Tell the Truth” message in 5 Observations on Moving the Cyber Industry Forward.
There is no ideal, but my current approach is described in Changing 40+ Passwords: Thanks Heartbleed.
- Two-factor/two step verification for stuff I really care about;
- An offline password manager for stuff I really care about that does not support 2FA and
- An online password manager for all the things I am forced to have logins on, but don’t have much to hide.
There is growing momentum behind FIDO…