As Bruce Schneier described it, there are three ways to authenticate a person: by something you have (e.g. a physical key), something you know (e.g. a password), and something you are (e.g. biometrics). He reckons passwords on their own are no longer enough, and certainly biometrics on their own are not enough, as other commenters have pointed out.

Nowadays the absolute minimum in security, suitable for sensitive things like online banking, is two-factor authentication.

If you want to know more, go read Schneier’s blog.

so, all you security "experts" out there, what is the answer?

How do you authenticate and authorise with normal people in the chain?

Or is the solution computer systems that don't interact with people?

Eliminate the weakest link?

And what about the security implementors, how do you work around their human weaknesses?

Sounds like everyone's time would be better spent searching for the Holy Grail, except that MPFC already found it and made a boffo movie in the process.

Biometrics have been argued before.

There are 2 sides to security - authentication and authorisation. Biometrics can only be used for the first part, i.e. the username, not the password. Why? Because biometrics do nothing more than identification, it is detection of personal features that are available/detectable/clearly visible/"out there", public knowledge so to speak. As technology progresses, faking this information gets easier. It is not what one would call a "shared secret".

As such, a system that relies solely on biometrics is inherently insecure.

There are multiple articles on this subject.

@viscountalpha:

Biometrics is a joke. The current implementations are so simple to circumvent (photo of a face, photocopy of fingerprint) that they are nearly useless.

You can change the password if it gets compromised, how do you change your face or fingerprint?

Its about time we take things a step further and start using biometric data to verify a user. Start using cameras, finger prints, Voice prints.

simple passwords will likely never go away but security needs to really change if they expect us to keep our security tighter.

I've heard it all too often, you force a user to change their password too often and they end up writing it down someplace INSECURE.

Code key FOB (keychain thingamajigs) are great until you lose your set of keys.

Going to biometrics (with redundancies ) is the only logical solution to so many of these problems.