
It's time to ditch passwords. Mobile-based biometrics offer a better way - tonyraja
https://metatony.posthaven.com/its-time-to-ditch-passwords-mobile-based-biometrics-offer-a-better-way
======
necovek
Uhm, this is a bit of a bull.

It's long been considered that you authenticate through: * what I am
(biometrics) * what I know (password) * what I have (token, phone...)

Depending on the sensitivity of what is being protected, you might need to
employ all three.

The article argues for a 2 factor authentication without the password without
any consideration to data sensitivity, what was actually breached with
passwords (yeah, it's somebody's instagram account, but not instagram itself).

Like many services offer optional 2 factor authentication today (what I know +
what I have), you could allow users to choose depending on their estimate of
data sensitivity.

If I am getting it correctly, the article argues only for a single factor
authentication by storing biometrics on the thing you have (so once your
attacker gets your phone, they can replace biometrics as well).

Dropping passwords can only hurt those who employ them correctly.

