With the iPhone 5S and its fingerprint scanner selling well, one is tempted to say that we may soon no longer have to remember a 4-digit PIN or 10-character phrase with which to access your device or apps. But considering the well-publicized weaknesses of biometrics and the tried-and-true nature of passwords, it looks like we’ll be using the old methods for while longer — and with good reason.
Of course, many who dislike passwords also do so with good reason. Who wants to remember “Yank33*d00dle1979” and five or ten other variants to comply with various sites’ rules and length requirements? And plenty of people don’t even try, meaning the most common password is, of course, “password.”
So it’s no surprise that we would welcome a quick, easy security system like Apple’s fingerprint reader (likely to come to other devices, from iPads to MacBooks, in time) as a breath of fresh air.
But is that really it for passwords? It doesn’t seem likely.
“Personally, I don’t think passwords are dead,” said Corey Nachreiner, director of security strategy and research at the online security firm Watchguard, in an interview with NBC News. “No matter what method you have, biometrics, a password, a special piece of hardware, it’s not infallible.”
And when you get down to it, biometric security is really just a super-complicated password that you can’t forget — nor, of course, can you pick it in the first place or change it if someone gets hold of it.
Many high-profile hacks expose usernames and passwords stored improperly by online services. Such a hack could reveal biometric data as well, and once your fingerprint (or retina, or DNA sequence) is out there, that’s that.
Furthermore, as the recent NSA leaks have shown us, security is as much about trust as it is about good encryption. A fingerprint, retinal scan and special security dongle mean nothing if the company holding your data isn’t secure — or gives up your data without a fight.
“Is it possible to extract and obtain fingerprint data from an iPhone?” asked Sen. Al Franken, D-Minn., in a letter to Apple (PDF). His concern is that the company makes absolutely clear how and where the newly collected biometric information is kept and transmitted. Another key (and as yet unanswered) question from Franken: “Does Apple have any plans to allow any third party applications access to the Touch ID system or its fingerprint data?”
Those potential menaces are significant, but out of the user’s hands. If the object is to prevent a phone’s unauthorized use by thieves, co-workers and jealous exes, simple alphanumeric passwords still have several advantages over a biometric one like a fingerprint:
- They can easily be made device or site specific, keeping security breaches in one area from leaking to others
- They can be shared with others simply and easily
- They require no special hardware or software
- They are well-understood and already implemented all over the world
- They can be as long or short — and as simple or complex — as the situation demands
Such advantages are not to be underestimated as digital devices become more ubiquitous. However, we could discuss the merits and shortcomings of individual systems all day long — but the real question is how to use them together.