Multi-Factor security relies on combining different protection options so that if one system is compromised, the security can still protect the secret. The options are generally:

  • Something you have (a token)
    • Something you are (biometrics)
  • Something you know (password/pin/pattern)

I recently read an article where someone was saying that the password won’t die, because once biometrics are compromised, then it’s over. That’s not strictly true, for two reasons.

First of all, we have multiple personal tokens to authenticate against, also known as fingers and eyes. You have 10 chances as it were before all your fingers are compromised. I don’t think anyone registers every fingerprint for their phone. That alone is ‘something you know’, and offers a small additional level of security. Alas, like everything else, human fallacy means we are more likely to register index fingers and thumbs. It’s just convenient for the device.

Secondly, it is possible to integrate the ‘you know’ factor further into biometrics. One currently available option, but not known to be implemented: finger swipes – press your finger then swipe in a direction. Repeat 4 times and you have a rudimentary pattern security. Repeat with multiple fingers and you have (10 fingers * 3 swipe directions) ^ 4 = upto 810k possibilities (2560k if you swipe up). In the future, I hope it will be possible to read eye movements hopefully to an accurate enough level where you could look in a certain pattern to authenticate. Looking at a screen would offer basic access, rolling your eyes allows further access.

It will be a very long time before passwords are gone, but that’s not to say it’s impossible.