What’s better, biometrics like a fingerprint or face recognition, a pass key, or old fashioned passwords? A couple of different conversations I had recently spurred this question, and I think it’s worth exploring.
Biometrics: Face scan, fingerprints, or retina scans
According to the CISSP training I received, biometrics is the best. And the very best of all is a retina scan. Facial recognition can sometimes be defeated by holding up a photograph, and fingerprints can sometimes be defeated with copies. A retina scan is much more difficult to fake without the person being present.
The problem is people tend to be nervous about having their eye scanned with a laser. And I don’t blame them. I, for one, don’t want my eye scanned by some cheap ass low-bidder laser device that might be buggy and might do something it shouldn’t do. It’s possible to get another job. I can’t get another eye.
But there is a significant legal problem with biometrics. While you still cannot be compelled to hand over a password or PIN to law enforcement, law enforcement can compel you to give up biometrics. There are some theoretical limits on that, but even if they cross the line into illegality, the court system is generally going to favor the cops. It’s built that way. The United States doesn’t have a justice system so much as it has a penal system. This is just one reason I say to never give a cop your phone.
Passkeys
One option that is gaining popularity is a pass key. This key acts like an identifier for you, and you generally activate it by entering a pin or scanning a fingerprint. I like this idea better, but it is another device you have to carry with you and that you can potentially misplace. You also may not be able to use it with all of your devices. Not everything has a USB-C connector yet, so you will probably need to carry the device along with an adapter.
The pass key may or may not be a challenge for law enforcement. If you are in custody, the police likely have your devices and your passkey. If the pass key is protecting access to what they want, and they don’t know what a pass key is, you are golden. It is not your job to educate them.
But if you are unlucky and happen to be in the presence of a cop who does know what a pass key is, and you’re using a fingerprint as a second authentication factor, they can compel you to give up a fingerprint or face scan, although not a PIN.
I have advocated for passkeys in the past, but the potential law enforcement issues make me nervous. I do not think pass keys are the least bad option.
Also, the ironic thing about pass keys is that frequently the best way to make them work is to tie them to a password manager. If you need a password manager anyway to accommodate the passkey, why not just use a password manager instead, and use it for the intended purpose? So let’s talk about password managers.
Password managers
The solution I keep falling back on is a password manager. I am comfortable disclosing to you that three of the last four security companies I have worked for also used password managers. The fourth one didn’t use anything at all, so I’m not exactly comfortable counting their inaction as a vote in this particular matter.
Cloud-based password managers
Ideally, you use a password manager that exists outside of your web browser. There are any number of cloud-based password managers available, so you can use them from any device. You just load their app on a phone or tablet, or load their browser extension on your computer, and they store your passwords in the cloud.
This is incredibly convenient. The downside is their business model makes them the juiciest target of all time for attackers. That particular industry’s security record is not perfect. They all say the right things about how they protect your data. But these services cost money, and if your data does get breached, don’t expect anything more than a written apology.
Keepass: a local password manager
Another alternative is an open source application called Keepass. Keepass runs on your local computer or phone, but you can export your database and load it on another device if you wish. It’s not quite as easy and convenient as the other options, but your data is encrypted, can only be unlocked with a password that you know, and the copy is in your custody. As long as you aren’t loading dodgy apps from questionable sources on your computer or phone, Keepass is extremely safe.
The password manager in your web browser
But there is a third option that is easy and also free. The major Web browsers have a password manager built into them. I’m sure you have even seen it. When you are accessing a website, most browsers will offer to store your username and password for you. They will even offer to generate a strong password for you. Most of them also give you the ability to synchronize your passwords between devices. Firefox will let me synchronize my saved passwords between my computer and my phone, for example.
This isn’t a perfect option. In theory, a security flaw in my web browser could give an attacker access to my passwords.
In spite of the problems storing passwords in the Web browser, I would much prefer you use that option than a pass key or biometrics. And I’d even more rather you use that than relying on passwords you can remember.
The argument for passwords
The problem with passwords is that if you can remember your password, a computer algorithm can guess it. The ideal password is random gibberish, and the more of it the better.
This leads me to that other conversation I had. I mentioned a website to a friend, but said I couldn’t get to it at that moment, because I didn’t have that password in my personal password manager. My friend said, “Wait a minute, IT Guy doesn’t know his password?”
Indeed I didn’t. I only know a few passwords. I have different passwords to unlock different devices, and outside of that, I do not know my passwords for any websites I use. All of my other passwords are randomly generated.
Yes, a qualified security professional can find flaws with this approach. But I think that using a unique, completely random password for every website is the least bad option. Random passwords of sufficient length will take a lifetime to guess. And if I do not know those passwords, I cannot be compelled to disclose them. It doesn’t matter how many laws you are willing to break, I can’t tell you something I don’t know.
That’s why I have been using password managers in one form or another for the last 15 years, and I will continue to do so. It’s not hip or chic, but it works today. If someone finds a way to make something better next year, great. But in the meantime, using password managers is something you can do right now that puts you in the 80th percentile. And that’s not a bad place to be.
David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.