Passwords don’t cut it, biometrics are ‘your safest bet’ for online security

People are the password's fundamental flaw -- 2FA, password managers are bandaid solutions

If you spend a lot of time on the internet these days, you’ve probably made a password. And if you’ve made a password, you know how awful they can be.

There’s a lot that’s wrong with passwords. Google’s product manager for authentication, Steven Soneff, agrees.

“The thing that people really feel annoyed about is that you have to remember [passwords],” Soneff told me in a phone interview.

Steven Soneff, product manager for authentication at Google

“You’re probably hearing advice about making sure that it’s complicated or that there’s a requirement to have certain characters… that’s infuriating from a user point of view.

Soneff, a fellow Canadian, has worked in online identity and account security for over ten years and has roots going all the way back to Research in Motion (RIM) during the BlackBerry heyday.

However, Soneff says that passwords suck from a security viewpoint as well. He says people create passwords that are easy to guess because they make them easy to remember. Worse, people reuse the same passwords to help with remembering them, and this can make passwords dangerous.

So, what makes passwords so bad, and how do we protect ourselves online? Thankfully, Soneff had the answers, as well as some advice for Canadians about staying safe online.

What makes passwords so dangerous?

The primary danger with passwords is that they’re ‘phishable.’ For those unfamiliar with the practice, phishing is a type of online attack that tries to trick users into revealing their password to a bad actor.

Several phishing strategies exist, from fake emails designed to look safe to websites impersonating trusted platforms. For example, several scams send fake emails that look like they’re from Netflix telling people that there is something wrong with their payment info. Unsuspecting users click the link in the email to resolve the problem and may inadvertently log into a fake Netflix lookalike. Whoever sent the email uses the fake site to grab the user’s password and login details.

Whatever the scam, the real danger is in how people use passwords. As Soneff said, many people repeat passwords or use variations on the same password to make it easier to remember. So, if a malicious actor nabs your password, they could potentially log into your other services, including more valuable things like your online banking site.

Unfortunately, this problem isn’t one that longer, more complex passwords can remedy — the security flaw is with people.

If you don’t have a password, you don’t have to worry

Soneff suggests that some of the best ways to fix passwords involve avoiding them altogether.

For example, ‘Sign-in with Google,’ and similar services from Facebook, Twitter and Apple, allow users to skip out on making a password. Some sites use phone numbers instead.

“In that case, Google actually vouches for you, says ‘so and so at gmail.com is here, you don’t have to ask them for a password, you don’t have to create a password.”

However, not every site allows users to sign-in with another service. The next step, according to Soneff, is to use a password manager.

“A password manager, I think, has historically been a bit daunting,” Soneff said. “People would have to install and sign-in and set up a password manager, and of course, some people probably don’t even know what a password manager is, let alone want to take those steps.”

Soneff points out that these days, most browsers and operating systems offer built-in password managers.

“If you use Chrome or you use Android or anything in the Apple ecosystem, there’s already great functionality there that will help you generate a strong and unique password,” Soneff said. The benefit of these systems isn’t just that they make strong passwords, but they remember them and fill them in for users as well.

However, password managers aren’t perfect. Bad actors can still phish passwords, or worse, breach the system and steal data en masse. Another issue, especially with OS-based and browser-based managers, is they can lock users into a specific platform. For example, a Chrome user may be hard-pressed to move to a new browser when all their passwords and logins are stored in Chrome. Granted, there’s usually a workaround, but the average user may not have the knowledge or ability to figure it out.

What about 2FA?

Another excellent option for protecting online accounts is second-factor authentication or two-factor authentication (2FA).

According to Soneff, 2FA is valuable from a security point of view because it offsets the vulnerabilities of passwords by requiring a second level of authentication that is unique to a given login event.

In simpler terms, 2FA asks for a second code after a user logs in with a password. This code is often time-based or one-time use. It comes via email, text message or from an authentication app and is different for every login event.

If someone steals your password and tries to log in, they won’t necessarily have access to the second factor of authentication — you can reuse a password, but you can only use 2FA codes once.

Soneff says 2FA is “effective protection” against weak or reused passwords.

Unfortunately, 2FA isn’t without flaw either.

Soneff said that 2FA could pose a real challenge for people because it adds several extra steps to the login process.

“You can imagine that for a lot of people who really struggle to do stuff online, either because they’re not as comfortable or they have accessibility issues, dealing with a second-factor challenge could mean the difference between being able to use a service or not,” Soneff said.

Soneff spoke to how Google is trying to handle 2FA “intelligently.” For example, Google will only ask for 2FA information when there’s an unusual login.

Further, Google is also experimenting with ways to make 2FA easier for users when the company does ask for it. A great example of this is Google’s ‘2-Step Verification,’ which launched back in 2016. Instead of asking users for a 2FA code when they try to log into a Google service, it sends a notification to their phone. Users then have to tap the notification to allow or prevent the sign-in.

Biometrics are the answer

Despite how effective these systems are, Soneff acknowledges that they aren’t practical solutions.

“You can’t rely on people to always follow best practices and it’s really just an unrealistic burden to ask people to do things like set up password managers,” Soneff said.

Instead, Soneff believes the best solution is something that avoids passwords entirely but isn’t too complicated. Currently, only biometrics fit the bill.

“By and large, [biometrics] are substantially more secure with respect to the types of common attacks that we see on passwords,” Soneff said.

By biometrics, Soneff means using fingerprint, face, iris or another similar body part to authenticate users. Most people will be familiar with these technologies as how they unlock their smartphones. However, biometrics can also be used as one of the more secure ways to authenticate people online.

First and foremost, though, Soneff wanted to clarify a common misconception about biometrics: they don’t leave your phone.

“People need to understand that the biometric doesn’t actually leave the device,” Soneff said. “The phone’s hardware, either the cameras or the fingerprint sensor, when it recognizes its user, it unlocks some… cryptographic keys that are stored on the device.”

Those cryptographic keys are what leave the device and authenticate the user. In other words, your fingerprint data or facial data remain safely stored on your device.

The other significant benefit of these cryptographic keys is that they’re unique to each online service.

Soneff used the example of enrolling your fingerprint with your bank app on your phone. What that means is registering the cryptographic keys. When you go through the initial set up of your bank app and enable fingerprint authentication, what you’re doing is creating a unique set of cryptographic keys bound between your device and that online service. Then, when you authenticate your fingerprint on-device, it releases a key to that service to verify you’re logging on.

“That is actually an effective and pretty usable protection against phishing,” Soneff said. “If someone goes to another website or app and asks the user for their biometric information, a different key will be generated and that different key will not be usable on the legitimate service.”

Not everyone is on board yet

While Soneff was adamant that biometric authentication is the right way to go, he acknowledged that some work needs to be done to make it feasible.

There are two main issues with biometrics. The first is availability. While most smartphones have some form of fingerprint, facial or iris authentication, laptops are another story. Unless you have a new MacBook or Microsoft Surface device, which offer fingerprint and facial authentication services respectively, or another modern PC with biometrics, you likely won’t be able to rely on biometric authentication.

But aside from the hardware, the local nature of biometrics makes it exceedingly difficult to manage logins in cross-device scenarios. Because of how biometric authentication works, it will only work on the device you use to set it up.

“When you go to another device, how would you use your biometric from the past device?” Soneff said.

Google is working on ways to make this easier. While Soneff wouldn’t speak to what the company has in the pipeline, it’s worth noting that earlier this year, Google essentially turned every Android phone running version 7.0 or newer into a 2FA security key. It works similarly to Google’s Titan security key but uses Bluetooth to connect to Chrome and verify users instead of plugging a physical security key into your device.

Other companies are working on ways to do this too. Microsoft, for example, allows users to authenticate their accounts using its Authenticator app biometrically. For example, when you log into your Microsoft account, it tells you to check the app on your phone, where you biometrically authenticate to enable access to your account.

Looking back to see ahead

As mentioned up top, Soneff has been in the online identity and account security field for some time. He interned at RIM when BlackBerry was the device to have. At the time, Soneff recalls that all you could do on phones was check and respond to email.

“It’s amazing to see that in the almost 15 years since then, we’ve seen just a dramatic amount of new services come online, and you can do just about anything from your phone today,” Soneff said.

With that shift, however, came an incredible number of services for people to use.

“That means a lot more passwords to take care of, that’s probably contributing to the fact that there’s so much password reuse,” Soneff said. “[There’s] a burden on users to figure out how to do this safely.”

But considering how much change and progress there’s been, Soneff says he’s “optimistic that we’ll get to a point where things are a lot easier.”

When asked about the potential impact of 5G on security, Soneff said it wouldn’t change much. Instead, 5G will enable more connected devices, especially in the Internet of Things (IoT) space, which means more devices to authenticate and keep secure.

“We have to think about how we securely authenticate and set up your data on the devices in your house,” he said, pointing to how users set up Google Home devices by connecting to them with their phones.

How Canadians can stay safe online

With all the authentication methods out there, it can be challenging to navigate the world of online security.

Soneff, however, offered some advice to his fellow Canadians.

“Try to avoid having to set a password in the first place,” Soneff said. He pointed to things like Sign-in with Google as a great way to avoid having to make passwords.

“That would prevent you from being in a situation where that password could be misused in the first place. That said, if you do have to set a password, just use the built-in password management functionality that comes with your browser [or] operating system.”

Soneff says these systems are “well-vetted and comprehensive,” and “probably your safest bet.”

“And finally, be willing to set up those biometric things. I hope we can get the message out that your biometric won’t leave the device, that it’s bound to the device and that it is something that — from a security, usability point of view — is probably the strongest thing that you’ve got.”