Finger scanning for online accounts

[The Green Bean]

Recently my email accounts got hacked; details here: http://forums.anandtech.com/showthread.php?t=2096844

I was wondering why the major email providers have not adopted finger scanning for online security. It's not too expensive and much safer than passwords. Sometimes it's so easy to recover passwords that it's pretty difficult to ensure that you are safe.

Finger scanners would be cheap. It should atleast be tried as a beta! I don't see a downside to it other than the initial investment.

 

[Crusty]

Using one over the other won't solve any of the current problems sadly. What we really need is ubiquitous encryption of network traffic and two-factor authentication schemes.

 

[WackyDan]

The short answer is this...

Because you are not logged into their domain.

- There are a few biometric solutions that require you to be on the local network/domain in order to leverage infrastructure wide biometric authentication.

Consumer web use is outside of this. There is essentially no solution. Even a local password bank tied to the finger print reader is only just a layer and is passing the same info to the site... It just means you don't have to remember the user logins and can be lazy with a speedy login.

We are I suspect years away from some sort of consumer grade interface via common web browser...Capitalism conspires to keep one company from benefiting from setting a standard these days.

 

[Modelworks]

Most people are unaware that passwords saved by browsers locally take all of 5 seconds to view by anyone with the right software.
A better solution is to use a password manager that uses very long and complex passwords for sites. Then you can use one master password that is local to you . I use lastpass for this . The way their system works is the password for all your sites is encoded or decoded on the local machine only. There is no sending of the master password over the network. When you go to access a site that needs a password, that site is decrypted locally and the password sent for that site only. The total master file is never decrypted at one time . Someone also cannot grab the passwords from the host pc memory because lastpass wipes the contents of the memory immediately after it decodes the 1 password and before returning control back to the OS kernel.

The only way someone can gain access is to get the master password and I keep one that is over 12 characters long with mixed symbols.