[jrm4]

It's 100% accurate. And I get why it may not seem helpful, but I think this is simply due to this industry trying too hard to cater to people who want things to be 6-year-old level easy.

Security is HARD. There's no getting around that. Your data is valuable and protecting it is not an easy task. At some level, security and convenience is a zero-sum game.

As for old people, my dad writes down his passwords on a text file in his laptop and has a printed backup in the house.

And, yes, he does have to bug me sometimes to re-login or change a password, but we've never had a security problem, which is way more than can be said for a lot of people who tried the INHERENTLY unsafe "3rd party manager" thing.

[bb88]

> It's 100% accurate.

No it's not.

The security triad is "something you are", "something you know", and "something you have". Fingerprints are something you are. Usernames are something you claim to be.

The username is the "claim" you are this person. The password is the "proof" you are.

If I'm fingerprinted by any federal agency today (and my fingerprints have been on file with the government since the 90's for a security clearance), then my fingerprints can serve as absolute proof of my identity. This is helpful to me should my identity ever be stolen and I need to show absolute proof of who I am.

[jrm4]

Good point, you're right. And with e.g. federal agencies, this fine.

But given the relatively high level of laziness, capriciousness, and general failure all around that is "IT security by means of companies who are rarely held accountable," it's good to point out that this is what makes biometrics worse than usernames and should probably mostly be avoided, or at least optional.

[bb88]

Your points are taken, but I do believe that the "something you are" is better than the "something you know" and "something you have" pieces -- as the knowledge or the thing you have can be stolen.

Sure fingerprints, face scans, and iris scans can be stolen as well. But certain things are really hard to fake, including potentially, scans of faces and an iris scan at the same time -- unless you can somehow graft a new iris and grow a new face.

Put it like this: a dead victim is found naked along the side of the road. Which leg(s) of the security triad can the police use to prove the identity of the victim?

[jrm4]

If convenience plus precision are your only goals, sure. But this requires probably too much trust in the systems. I'm fine with the FBI having that power and information.

Google, who I don't pay and doesn't owe me much, not so much.

[withinboredom]

Your fingerprints change over time (mine are different from just five years ago -- as I learned when recently renewing a visa a few weeks ago).

[lcnPylGDnU4H9OF]

Those are all factors in multi-factor authentication. If a service does not require the "something you are" there's still good security if they require the other two factors. If the only required factor is "something you are" that's bad security.

[newaccount74]

They all require the "something you have" as well. Pretty much all the face recognition / finger print tech on mobiles is locked to a single device.