Password Safety: Biometrics, Physical Keys, and Multi-Factor Authentication

A password is not the only way of proving a person is who they claim to be. Anything which is known by or tied to a person and is unique can theoretically be used as an unlocking method.



Biometrics, using body characteristics, is an example. The classic is fingerprints, which we already know are unique to an individual. Most mobile devices and many PC’s have fingerprint readers to avoid entering a password and permit logging in with the touch or swipe of a finger. This can even be combined with most password managers so a fingerprint serves as the master password to unlock the rest of the credentials.

There are also facial and eye scans available on phones from Apple, Samsung and others which act similarly. For PC’s, many Windows machines include Microsoft’s Hello technology, which unlocks the computer, or a site based on facial information. Although some of those technologies could be spoofed in the past, they are now much more robust. One should still research a device’s technology to make sure it is appropriate for security needs.


Physical Keys

Physical “keys” can be implemented in many cases too, particularly on PC’s. For example, a Yubikey from Yubico looks like an ordinary USB thumb drive. The system can be configured so the Yubikey must be inserted into a USB port before access is granted.


Multi-Factor Authentication

These biometric and physical device authorizations can also be used together with passwords for an extra layer of protection. This is known as two-factor or multi-factor authentication. The initial hurdle is a password entered by the user. Assuming it is entered correctly, the user must then provide another form of proof of who they are, like a fingerprint, face scan or physical key. Only when that second test is successfully completed is access granted.

Another form of multi-factor authentication relies on email, texts, or an authenticator app. When first signing up to a site which offers multi-factor, the user provides their email address or cell phone number. Thereafter, whenever signing in, a password is first required. If it is accepted, a short additional code is emailed or texted to the user, which they must enter to gain access. The assumption, of course, is that a hacker will not have access to the user’s email or phone, and therefore must be the person they claim to be.

Sometimes this code is provided by an authenticator app installed on the user’s phone. Just find the code, which changes every minute or so, enter it after the password, and entry is granted.

Multi-factor authentication is extremely secure, and very difficult to circumvent. Most major sites like Microsoft, Google, Facebook, Apple, and others offer it. If it is available, it is highly recommended it be used. Even if a password is compromised, multi-factor will give data an additional layer of protection.

Optional Video: If you want more information about why two-factor authentication is so effective and how to maximize your protection by using the most effective two-factor authentication tools, watch these Bite-Sized CPD videos:  

Two-Factor Authentication [4:13 minutes]

Are You Using the Most Secure 2FA [6:43 minutes]