I ran across this article the other day, talking about how these new technologies are going to kill passwords. I have to say though, that I largely find the tech they discuss laughable for killing off passwords. You may be thinking I say that, because it must be that they aren’t talking about 2FA, so I’m really just trying to sell you on something. Well no, they aren’t talking about 2FA, yes, I want to sell you something, but I also think that by themselves, the tech mentioned in the article isn’t strong enough to replace passwords.
Now that last statement probably has you thinking I’m crazy. They are talking about iris scanners. How can that not be better than a password? Well, for one thing, look at what I wrote before here, and you will see that there are some potential issues. You have to realize that everything here is basically a biometric technology (ok, the wearable that is discussed isn’t, but as noted, this security device also doesn’t seem to know who its owner is, either, so I don’t think that’s a wearable I could trust, no matter how strong the encryption). And here you have to think about what a biometric is — something you are. On the other hand, what is a password — something you know. Now just follow me for a second here, and tell me if one of these sounds a lot like a username.
What is a username but something that defines who you are. When I log in to my Amazon account, I have a username (my email address), and that uniquely says who I am. It is public information, visible to anyone whom I contact or whom I want to be able to contact me. A biometric is a publicly readable thing about me, whether it is a fingerprint, an iris scan, or my DNA sequence (a la Gattaca), it says something about who I am, but publicly available information is generally not the best for authenticating someone (else we would all still be using our Mother’s Maiden Name as the security code on all our accounts, right?). To have strong (not to mention secure) authentication, you need something private. Passwords may be a problem, but they are something I can keep secret, and something I can change.
But we all know passwords are also a pain to remember, and this leads to the talk about biometrics. But why would you want to log in with just your username? This is where 2FA comes into play. Solutions like YubiKeys, managed through a server like GreenRADIUS, allow you to get rid of the password, but not lose the private notion of the authentication data that is so crucial. Some day we may all be using biometrics, but I hope they are always paired with something we know or have, from a PIN to a password to a token, to ensure the best security.