Website logins on a browser while using a mobile device have changed very much in the past five years. On many devices you can use biometrics for some sites, so you no longer need a password which continues to be an aid for hackers.
Recently, we published the news that Android devices are going to allow logging in to apps and websites with the use of a fingerprint. Is either method trustworthy? Do you trust logging in to sites with your phone?
Our Opinion
Andrew finds nothing wrong with logging in to the Web with his phone and thinks he’ll probably start to use it when it becomes more common, thinking it’s not too much of a leap from apps to websites. With no authentication data transmitted, only cryptographic proof, “there’s not much of a security risk, and privacy concerns would be mostly limited to your phone’s hardware/software manufacturers.”
Miguel doesn’t trust his fingerprint nor any app to log him in automatically to sites when he has sensitive information. He doesn’t “save” debit card data and always uses throwaway numbers on sites he sees as potentially sketchy. He realizes it may sound paranoid but believes, “It all depends on how much trust people are placing in you as well.” If you’re being trusted with other people’s sensitive data, you tend to treat it with much care. But he accepts the risks with social media and some gaming-related stuff, as there’s not any sensitive data included.
Sayak doesn’t trust biometrics, especially fingerprinting, because he doesn’t see it as safe. He used to work for a company with biometric access, and his fingerprints failed to register on multiple occasions. With dry, greasy, or wet fingers, some people are more prone to failing biometrics than others. He finds the same with phones and tablets and prefers voice ID access much more than biometrics.
While Simon enjoys the idea and convenience of biometric scans to log in to sites, he’d have to try it before answering definitively. If it worked perfectly most of the time, he could see using it. But if it’s spotty and hard to register his fingerprint, he’d prefer to stick with passwords. “The benefit of passwords is that you can set a different one for each site,” so if someone cracks a password, you’re still safe on the other sites. But if someone gets ahold of your biometric data, they’d have access to all sites that use it.
Alex thinks biometrics should consist of user names and not passwords. Fingerprints aren’t secure and can’t be changed. “WebAuthn and the associated FIDO2 standard could be the first step towards more secure login methodologies,” as they use attached devices like a YubiKey to authenticate rather than a text string, but that’s still just one factor. With two-factor login with WebAuthn still requiring a password, he believes it’s a good first step but far from the last.
Being that I’m an Apple mobile user, I’ve been using Touch ID since buying my iPhone 7 2-1/2 years ago. It’s not really buggy to me, and I feel safe with it. However, it still requires a password. Once I use my fingerprint, it then recalls my password. Recently, I bought an iPad Pro, and that uses Face ID. I find the same with that as I do Touch ID, and in fact it’s better. It’s quicker and has never failed. I trust it.
Your Opinion
What are your thoughts on logging in to websites with your phone? Do you trust your fingerprint? Or have you moved on to some form of biometrics already? Do you trust logging in to sites with your phone? Join our conversation in the comments below.
“What are your thoughts on logging in to websites with your phone?”
Even if I owned a smartphone, I would not log in to any sites with it because the screen is too small. Then there is Laura’s article from yesterday “Report Shows that IoT Devices Are Under Constant Attack” which indicates that all WiFi-capable devices are under attack.
“Alex thinks biometrics should consist of user names and not passwords.”
What is the actual difference between a “user name” and a “password”? When reduced to their simplest terms, both are nothing more than a collection of characters; random or not depending on the cleverness of the user. Neither has any particular advantage over the other in actual usage.
“Miguel realizes it may sound paranoid”
Just because you are paranoid does not mean someone is NOT out to get you or your data. :-)
“Sayak prefers voice ID access much more than biometrics.”
FYI, Sayak, voice ID IS biometrics. Unless something drastic happens to your vocal chords, you can’t change your voice, just like you can’t change your fingerprints or your retinal pattern.
The one, overarching problem with biometrics is that once they are compromised, you cannot get a set of new ones. You are stuck with them forever.