Difficult to remember |
Don’t have to remember |
Requires unique passwords for each system |
Can be used on every system |
Nothing else to carry around |
Nothing else to carry around |
Take time to type |
Easy to swipe/sense |
Prone to typing errors |
Prone to sensor or algorithm errors |
Immune to false positives |
Susceptible to false positives |
Easy to enroll |
Some effort to enroll |
Easy to change |
Impossible to change |
Can be shared among users 1 |
Cannot be shared |
Can be used without your knowledge |
Less likely to be used without your knowledge |
Cheap to implement |
Requires hardware sensors |
Work anywhere including browsers & mobile |
Require separate implementation |
Mature security practice |
Still evolving |
Non-proprietary |
Proprietary |
Susceptible to physical observation |
Susceptible to public observation |
Susceptible to brute force attacks |
Resistant to brute force attacks |
Can be stored as hashes by untrusted third party |
Third party must have access to raw data |
Cannot personally identify you |
Could identify you in the real world |
Allow for multiple accounts |
Cannot use to create multiple accounts |
Can be forgotten; password dies with a person |
Susceptible to injuries, aging, and death |
Susceptible to replay attacks |
Susceptible to replay attacks |
Susceptible to weak implementations |
Susceptible to weak implementations |
Not universally accessible to everyone |
Not universally accessible to everyone |
Susceptible to poor user security practices |
Not susceptible to poor practices |
Lacks non-repudiation |
Moderate non-repudiation |