I think it would be good if they could also do some kind of dynamic session cookie that keeps you in but others out.

I mean... either you use biometric data instead of a password (the increase in security is right there and was even before "passkeys"), or they use the pin of another device... effectively reducing security by once again "putting more than one egg in the same basket"? When will they learn that security and convenience hardly go the same way...

A geocaching (I think that's the term) tool would be useful too.

IT on the Global Organization I work for did tests on this, it's NOT secure.

fantaskarsef:

I mean... either you use biometric data instead of a password (the increase in security is right there and was even before "passkeys"), or they use the pin of another device... effectively reducing security by once again "putting more than one egg in the same basket"? When will they learn that security and convenience hardly go the same way...

The issue with biometrics is that you can't change anything based on biometrics as soon as it is broken. So if someone manages to clone your fingerprints for instance (not out of the realm of capabilities these days), there is no way to change those fingerprints. They mere fact that this is not possible makes biometrics very unsuited for actual security purposes. Any theft of the biometrics immediately makes all security measures based on those biometrics vulnerable.Talk about single point of failure! The reason that companies use biometrics in the first place is more for convenience reasons than for absolute security.

Crazy Joe:

The issue with biometrics is that you can't change anything based on biometrics as soon as it is broken. So if someone manages to clone your fingerprints for instance (not out of the realm of capabilities these days), there is no way to change those fingerprints. They mere fact that this is not possible makes biometrics very unsuited for actual security purposes. Any theft of the biometrics immediately makes all security measures based on those biometrics vulnerable.Talk about single point of failure! The reason that companies use biometrics in the first place is more for convenience reasons than for absolute security.

I 100% agree. Also, as biometrics are, like you said, unchangable (except due to injury perhaps), I have my doubts about tech companies simply having that data. And I do not see any personal gain in skipping to push in a pin just to look at my phone to unlock it. I'm also not the person to constantly pick it up and put it down, though, so I might not be the target audience. It tells you the story behind it that the protesters in Hong Kong's (failed) pro democracy anti China central government movement went from biometrics to pin simply because they could be forced to look at their iPhones to unlock them, be forced to place a finger on the button, but they could not (so easily) be forced to enter a multi digit pin... food for thought, imho.

I find it funny when someone says a pin is more secure than passwords. A pin is essentially a very short password with a limited amount of combinations.

Chrysalis:

I find it funny when someone says a pin is more secure than passwords. A pin is essentially a very short password with a limited amount of combinations.

I think the point that the person was trying to make is that pins are less easy to extract from a person once they are under your control than biometrics like face recognition or finger print recognition. Because there is no way to avoid the biometrics being used in that case (apart from causing yourself incredible harm). Most pin based systems will lock you out after a few incorrect guesses (some of them for ever increasing periods of time). I don't think that anyone claimed that pins were more inherently more secure than passwords.