It has been a long-recognized principle among security professionals, particularly those in the IA (Information Assurance) sub-discipline, that the most secure authentication for access to information systems is three-factor: something you have, something you are, and something you know. Increasing password complexity and frequency of change (with different periodicities of change on different systems) just results in passwords becoming unwieldy to the point where they’re easily forgotten, or are written down by users unable to keep a jumble of multi-character nonsense clear in their organic memories.
The Department of Defense already uses two elements of three-factor authentication: (1) the Common-Access-Card (CAC) [something you have] along with (2) its associated PIN [something you know]. All that would need to be added is fingerprint readers [something you are] at each terminal, with software at the servers to validate them, and you would have much more robust authentication security than is currently practiced: as the probability of an adversary or hacker gaining possession of one user’s CAC, PIN, and fingerprint are considerably lower than spoofing a user and cracking their existing password.
