Every few days somebody asks me why we can’t just eliminate passwords and replace them with fingerprints.
TLDR we’re (mostly) gonna do it, but it’s gonna take awhile. So grab a cold drink and let’s walk the path to a glorious, passwordless future 1/
I hate passwords with a white hot passion, but as with most things other than vampires, there’s a lot of hype but no silver bullet solution 2/ Vampire in coffin asking "What's the Netflix password a
Passwords are clunky and terrible; biometrics are convenient and sci-fi cool. So why are tech companies too stupid to move us onto them? Because single-factor authentication is waaay worse for security so we still need a second factor 3/
Backing up, “Authentication” means proving who you are by asserting an identifier (usually an email address, ph# number, or arbitrary handle like @mrisher) and a “challenge” that only the true owner of that ID should have 4/
Long ago, scientists decided there were three categories of auth challenges: something you know, something you have (possession), and something you are (“inherence” for the wonks out there; “biometrics” for the rest of us) 5/
The problem with knowledge factors like passwords and PINs is that knowledge is transferable. Language is great for human (& dolphin) civilization, but it also enables hackers to steal your password and pretend to be you 6/ Hacker dolphin from "Johhn Mnemonic"
And since many of us reuse passwords on sites that inevitably get breached, if a password is the only thing between a hacker and your Crown Jewels, as soon as a hacker knows it, you’re “owned.” So we all want a second factor 7/
When people hear “second factor,” most think of a code sent to their phone. We’ve talked about why SMS 2FA and apps that ask “Are you trying to sign in” are better than nothing but no longer state-of-the art 8/
Security keys are better, but the rub with all these “something you have” factors is they can get lost/stolen, so you still want a 2nd factor (that the “2” in “2FA”) If possession is all it takes, you’re in a bad place if anybody swipes your phone 9/
The same goes for single-factor biometrics. We leave our fingerprints everywhere, and it’s expensive to make a face sensor that can’t be tricked by a sleeping person, mask, or printout 10/
You wouldn’t want a stranger with a mask to walk into an Apple Store and get access to your data, so biometrics work best as a *second* factor: Your face/fingerprint combined with *the specific phone you’ve already set up*
(By the way, this isn’t a theoretical possibility; science has mostly caught up with Mission Impossible: gizmodo.com/this-is-not-a-…) 12/
IOW, we wouldn’t want to just *replace* passwords with biometrics, but we can move from passwords to biometrics+something. And we finally have a viable “something.” 13/
So what's the plan, Stan? 14/
Sites need to adopt “webauthn,” a new standard allowing biometrics on your phone to unlock a website/app. Along with OpenID Connect (the tech behind the “Sign in with Google” button) these can offer secure+convenient authentication for any site or app 15/ bit.ly/webauthn-codel…
If you run a site with username+password, upgrade to these technologies! They’re more secure for you *and* more convenient for your users, outsourcing the hard bits & streamlining the rest. 16/ developers.google.com/identity/gsi/w…
And in the meantime, everyone needs to get on the autofill/password manager train! If you memorize passwords, it’s too tempting not to reuse them across sites, and eventually you’re gonna be phished on one of those sites. All of us can be phished. 17/
Password managers also up your game against phishing, because they match the site you’re on before entering the password. It’s not foolproof, but your password manager is much less likely to get tricked by “paypa1” 18/
.@googlechrome and @android have autofill built in and shared across all your devices for free, and together with g.co/securitycheckup will automatically help you fix any breached, reused, or weak ones. @1password and @dashlane are also popular 19/
Swapping pwds for biometrics isn’t the answer, but biometrics are coming via webauthn, and combined with OpenID and your password manager, we can soon be safe and secure and barely have to think about passwords anymore. /fin

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with mark risher

mark risher Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mrisher

7 May 20
It’s #PasswordDay (you didn’t forget, did you?). Shelter-in-place means people everywhere are signing up for dozens of new apps and sites, and that means dozens of new passwords, so I wanted to bust some myths and share some knowledge on how to use passwords safely. 1/
Passwords are the best and the worst of things. They’ve worked from time immemorial. Centuries before computers, passwords were used by Roman armies to identify allies and prove loyalties. 2/
The first computer passwords were from the 60s at MIT to protect researchers on shared systems. Back then, computers were the size of minivans, people had access to at most one of them, and the threat model was an officemate who wanted to play text adventure games 3/
Read 20 tweets
30 Jan 20
Google loves security keys, and today announced an open source implementation to help spur further innovation from the security research community 1/ security.googleblog.com/2020/01/say-he….
.@FIDOAlliance technology is the strongest defense against phishing attacks, but it’s been hard to get mainstream users — and even many high-risk businesses — to adopt. 2/
We’re hopeful that this implementation, which runs off an off-the-shelf hardware board you can buy for $10, allows developers to innovate on usability and human factors to help drive widespread adoption 3/
Read 5 tweets
15 Jan 20
With hacking and security on everyone's minds, we built the Advanced Protection Program in 2017 to bundle @Google's strongest security offerings into one simple package. Today, we're making it even easier to enroll 1/
Effective immediately, anyone with an Android or iPhone can enroll into Advanced Protection with just one click, without needing to buy/wait for separate, dedicated security keys. blog.google/technology/saf… 2/
By building the same, robust @FIDOAlliance Security Key technology directly into Android and iOS and enabling instant enrollment, users can instantly lock down their accounts with the most phishing-resistant defenses out there. 3/
Read 4 tweets
2 Oct 19
Raise your virtual hand if you’ve had it with passwords ✋. In all honesty, if I could raise three hands, I would – and I’ve got a hunch I’m not alone! Follow along as I dig into the state of passwords and a few ways to make them less of a headache. 1/
First, let’s get a few facts straight when it comes to #passwords. I’m busting the top 3 password myths to help you stay safe online. 2/
Myth #1: Never write down your password.

This is legacy advice from when computers lived at the office & the threat was Pat in the cube next door. But with personal devices & remote hackers, memorized passwords leads to re-use, which is way worse for overall security. 3/
Read 16 tweets
29 Mar 19
Okay, here’s the deal with Security Keys and #phishing, because even some experts don’t really get it. HT @boblord and @runasand for the idea 1/
IN THE BEGINNING, God created passwords. If you knew your password, you could sign in; if you didn’t, the door remained locked. Simple! 2/
Unfortunately, phishers realized that if *they* knew your password, they too could sign in. Relying on a single “knowledge factor” meant if they could make you enter your pwd on their fake login page, they were home scot free. 3/
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!