Are Passwords Obsolete? - Comments Page 2

Finger prints don't work for me! I 'messed up' both my primary and secondary finger prints and couldn't get into my laptop until I figured out how to change to a password.

With Windows 8 touch screen could you just sit on it? :o)

I cringe at the use of biometrics for authentication. You may think your fingerprint is foolproof because it can't be duplicated, but it isn't your fingerprint that is presented for authentication against a database; it's a pattern of bits that can be just as easily duplicated and manipulated as any other such pattern. And in order to be useful, that pattern has to appear in at least one on-line database, so that there is something to which the fingerprint scanned by your bank can be compared. And when that fingerprint is compromised, YOU can't change it - you're stuck with that finger for life. Too bad, so sad, you're screwed. Give me an old-fashioned password that I can change any day!

dear bob,what r we going to do about our passwords...its already exhausting..thanks..

keypass generators are alive and well. I've had one for one of my online gaming accounts for going on 6 or 7 years now ($6 retail for the hardware...). My bank has been saying they will start offering them 'soon' for 2-3 years now.

1)Biometrics can't work unless every computer and device have them and they are all working and the relevant data is available to check against.

2)Mobiles won't work until everybody has one (I don't) and you have a mobile signal you can use. I live in a UK city and our area has poor (sometimes absent) signal (I do have a mobile for work but unless I'm working it's not on me.) What if you are abroad?

One scheme is to have 2 factor for those occasions that do need them. My bank provides a chip and pin card reader as a verification means for some processes, you insert your card, enter your PIN and there is some form of query/response mechanism to proceed on the site.

Most sites really don't need to be that complex, do you really need all that security for a forum? A simple (even shared) password could be OK there. A bit more complex if it's a support forum for software you've paid for and so on. Banking and other sites that are really important you may want to secure further. One issue is people simply using there Google/Facebook accounts as login to other sites.

EDITOR'S NOTE: Biometric data can be stored on the device, as is commonly done with laptops and smartphones. And a mobile signal is not always needed for the 2-factor auth code. Google's authenticator app on Android phones does not. It relies on the date & time (and perhaps shoe size and phase of the moon) to generate a 6-digit code.

Two comments.

One: years ago my wife was issued a pass code generator for work use. It had such a flimsy keyboard and small display that she could never been sure she had typed the right change into the device.(the Web Site gave a 6 digit number and you had to type that into the device and then type the Boxes response to the challenge back into the web site, all in 90 seconds. Anytime She really needed to get loged in I had to help her with the dang machine.

Two: Many cell Plans still charge a fee for each text message here in Canada. I really don't want to have to pay 25 cents each time I use a web site, so that the site can send me a magic number.

The very secure solution I'm looking forward to is SQRL - see https://www.grc.com/sqrl/sqrl.htm. While you are there check out his write up on Password Haystacks. In the meantime, I use LastPass and long, totally random passwords that are unique to every website. Current two factor authentication sounds great, but when I installed Google Authenticator on my iPhone it killed several other unrelated apps.

Security should be looked at as several layers of protection. 1. a firewalled connection 2. a good Antivirus prog 3. two anti malware progs 4. Win Patrol to deny unwanted changes 5. at least 2 alpha numeric passwords 6. inform yourself about "at risk" behavior while on the internet ex: airport free connections 7. read various forums that keep you up to date about changes in technology

A major problem w/ this article is it supports LESS security. In order to get the "one time code" from Google/Facebook/etc, you have to provide them with your cell phone number. They, in turn, use it for advertising. I had to change my cell number after I fell for this gimmick. I hadn't had a telemarketer call in over 10 yrs before this debacle.

Yes, we need a better authentication system, but the options presented are major steps back.

EDITOR'S NOTE: I'd argue this was a coincidence, or that your number was compromised in some other way. It just makes no sense for Google or Facebook to do that. It's never happened to me, and I've been using both for years.

So, how does one use 2FA without a smart phone or laptop? I know, others have asked the same question, but it does not seem practical to have to go out and buy new equipment and have to learn to use it, so that you can log in to GOOGLE or FACEBOOK! Thanks for the post, Bob.

Biometrics are too volatile for reliable use, suppose you damage or lose a finger thumb or eye, even a fairly minor cut on your thumb will change its appearance.

As people age or get ill, they can develop conditions such as retinopathy or macular degeneration, where will that leave them if they need their device?

As for cardiac rhythms, just wait for the day when you can't log on to your device because you've been taking exercise or have just had sex!

Additionally, of course people can develop a whole range of cardiac arrhythmias well short of a full blown MI, particularly as they age.

Now if someone is suffering a full blown heart attack, then access to their device is the least of their problems but, should they recover, their heart will be scarred and its rhythm changed.

Remember, of course, that with the current system of checks and balances, you don't have to give your mother's REAL maiden name or the real name of your first school either if it can be guessed, if I put that my mother's maiden name was R2D2 and my first school was Chicken Curry, the authentication routine is not going to come back and say that was wrong. (I haven't used those by the way)

It seems somehow counter intuitive but you can add to your current level of protection by LYING!

In te future, in my opinion, we will get rid of the simple "pass or fail" gates that protect our accounts.

The way many online services now work, is that they place a wall around the city, let anyone pass with valid papers (even if the black man who carried them last week has inexplicably become a white woman, and

In the future it won't be a simple "pass or fail" - it will be about chance. Intelligent software will monitor our behavior and evaluate the odds that the user logged in is legitimate.

This could be as simple as evaluating keystroke rhythms, mous movements, patterns in navigation, analysiss of a style of writing on forums, typical order of transactions on bank sites etc. Cross-checking data will becoming more prevalent as well, though not without many many issues and controversy.

If a user's behavior has become suspicious, the system will ask for additional verification, or might even alert some pre-defined party/parties so a human can intervene. It may even shut down the account - if my bank's site detects a sudden transfer of a large amount to some obscure account in the maldives. Or if I'm suddenly shopping for expensive book sets when I'm member of a local library and have said buying books is a waste of money.

Hell, identification on online/remote services could become a business where you register with a representative who will monitor your accounts for further protection.

Sure, such systems might require a formalisation/bureaucratisation of web usage. Then again, as we are doing more and more of our formal business online, that's only inevitable.