To start this experiment; I needed some subjects: my wife, sons, and father-in-law. Next I set out to find all those password killers we have heard so much about.

It turns out that many of those headlines were more than a bit misleading. Betteridge’s law of headlines seems to be doubly true for password killers. Will that new technology be the death of all passwords? No.

Most of those over-hyped articles refer to academic research, vaporware, companies now out of business, or costly implementations for huge enterprises. There are a few products out there for consumers but many of them are highly proprietary, need custom software, and limited in their usefulness. I was a little disappointed.

Wearable Authentication

Because there weren’t as many password killers out there as I hoped, I had to do some piecemeal hardware and software implementations. My wife uses a Windows computer and Android phone all day long, but she really doesn’t like disruptions to her routine. To make this all as transparent as possible for her, I went with a Striiv Fusion Bio activity tracker and a Jakcom NFC smart ring.

Striiv wearable and a Jakcom smart ring.

The Striiv Bio has Bluetooth and I could set it up to automatically unlock her computer when she was near it. The NFC ring would be perfect for her phone because she could unlock the phone just by holding it in her hand; the NFC sensor is right where the ring sits on her finger. And although she did resist some at first, the benefits of the activity tracker was enough to get her to go along with it. For the most part she doesn’t even realize she’s logging in (she really doesn’t like disruptions to her routine).

Setting up the NFC ring to unlock her phone was pretty easy — it comes with an app to do that for you. The ring itself has two NFC chips in it so you can also have it perform other functions, depending on which side you tap it on. In fact, NFC can be fun. A couple of years ago I bought some NFC stickers and put them all over the place: in my car, on my night stand, even one on the toilet to launch my favorite reading material.

But NFC has a problem, basic chips have little security. Anyone with a reader can wave it near your hand and scan the code to make a clone for themselves. NFC can be secure with more advanced, costlier chips capable of cryptographic operations; the only other option is to wrap your hand in aluminum foil. For the security requirements of my wife’s phone, NFC would do just fine.

Bluetooth was more tricky setting up. I ended up having to install several pieces of software and writing some custom scripts to get it to lock and unlock her computer. The problem with Bluetooth is the range, having your computer unlock when you are as far as 30 feet (over 9 meters) or more away isn’t exactly secure. Like NFC, Bluetooth is also somewhat vulnerable to cloning, although with properly-written software developers can make it fairly secure.

Although few wearables have any built-in support for authentication, the potential here is huge. Not only are they strapped on to you, but they contain an array of sensors — GPS, microphones, even heart monitors — that could make for interesting advances in authentication.

Wearables verdict:

Seamless way to unlock devices, but not always easy to set up

Not useful for web site logins

Software still required setting backup PINs

Security level: Medium

Total cost: $116

Did it kill the password? It killed a few device passwords, but that hardly made a dent.

YubiKeys

I have to admit that YubiKeys, by Yubico, are one of my own personal favorites so I though I’d set up my 16-year-old son Alec with some of these. He has a bad habit of reusing the same password everywhere but, on the other hand, he’s organized and never loses stuff. The YubiKey is perfect for him.

YubiKey NEO, Nano, and YubiKey 4

YubiKeys certainly aren’t marketed as password killers. In fact, you typically use them along with a regular password to further strengthen your logins. When it comes to authentication there are different factors: something you know, something you have, and something you are. The password is something you know and the USB YubiKey token is something you have (a fingerprint or other physical feature is something you are). The more factors you combine the stronger it gets. Most consider two factors — referred to as two-factor authentication or 2FA — to be secure enough.

The YubiKey normally uses a one-time password, meaning that it generates a different password every time you use it. After logging in, a system can prompt you for your YubiKey, after which you touch the small metal sensor and it sends the one-time password. If this password authenticates with the Yubico central servers, the system lets you in. This, along with a traditional password, is a very secure login system.

One convenient thing you can do with YubiKeys is have it hold up to two different static passwords that never change. In this case, you tap the metal sensor and it enters your password as if you typed it on your keyboard. If you touch the sensor a little longer, it will enter the second password you saved to the key.

I created strong, unique passwords for all Alec’s most important logins and saved them on the YubiKeys. I also configured his computer to require his YubiKey when logging in to Windows. For him, the YubiKeys were convenient and quite usable.

The problem with the YubiKeys is that no sites support them as a replacement for passwords. Although a growing number of services — such as Gmail — allow you to use YubiKeys as a second factor of authentication, you still have to remember that password. The workaround we used of storing static passwords isn’t a great solution either. Anyone who can gain access to the keys can get your password — you better keep that keychain with you at all times. Because physical keys like YubiKeys can so easily be lost, stolen, or damaged, they probably aren’t going to replace passwords any time soon.

YubiKeys verdict:

Excellent security for two-factor authentication, not a great way to replace passwords

Don’t lose them

Security level: Medium to High

Total cost: $190 for a Nano, two Neos, and a YubiKey 4

Did it kill the password? No, but they are a great way to strengthen your current passwords.

Password Managers

One of the reasons I didn’t include myself in this study is that I simply have too many passwords; I have to use a password manager. As even the most casual internet users have discovered, it is easy get overwhelmed with passwords and the only solution is to have a tool to save them for you. Once unlocked with a single master password, password managers automatically fill in login forms in your browser so you don’t have to remember any other passwords.

Using a password manager to create and store your passwords means you can easily follow two key security tips: use very strong passwords and never reuse the same password across multiple systems. Although password managers don’t eliminate passwords, they can make them more secure and more manageable.

My 19-year-old son Ryan doesn’t have that many passwords. He has maybe a dozen and uses strong, unique passwords that he remembers just fine. Still, he uses his Android tablet regularly — it’s always a pain typing long passwords on mobile devices. Because he tends to lose things, I knew a hardware device wasn’t the best idea, so I went with Intel’s True Key password manager [Disclosure: Intel Security is a sponsor of this article and the Practically Unhackable publication].

Intel’s True Key App

True Key strength is logging in with multiple factors—the first is a device you designate as trusted such as your phone or home computer. Depending on your device capabilities the second factor can be a password, your face, or a thumbprint. In the application you can enable multiple login methods to be available for the device.

Multi-factor Login Options

One feature that particularly caught my attention was their facial recognition. In the early days of security, we easily fooled facial recognition by holding up a picture of the user. The technology got smarter, using 3D cameras and other techniques to sense a live person, but this usually requires purchasing additional hardware. The result was either weak authentication or buying an additional 3D camera.

True Key works with Intel’s RealSense 3D camera but will also work with an existing 2D camera on your device. Intel got around the limitations of 2D cameras with a clever trick: having you turn your head from side-to-side, to simulate a 3D scan of your face.

The facial recognition isn’t perfect, but that is always a problem with this and other biometric authentication factors. First, lighting conditions are rarely ideal and always changing. Second, our faces also change: beards, glasses, makeup, and hair styles might vary significantly from day to day.

True Key get’s around the facial and lighting changes by using each login to learn more about your face. Theoretically, recognition will improve over time and be able to identify you in just about any condition.

Still, there’s one problem they can’t overcome: you need light for facial recognition to function. My son got frustrated moving his head around trying to get it to work in bed with the lights off before he realized that just wasn’t going to work out. For those times he had to log in with his master password — or stop using his tablet in the dark.

True Key verdict:

Seamless cross-device support.

Facial recognition can be a bit cumbersome but improves as it learns your face.

Only manages application and web passwords.

Security level: Medium to very high, depending on how you configure it.

Free for up to 15 logins, $19.99/year for unlimited logins.

Did it kill the password? It gets rid of many of your passwords, but won’t log you into your devices unless you are using Windows 7 or 8.

Windows Hello

My 10-year-old son Evan uses his computer a lot, and that is the only computer he ever uses. He doesn’t have to worry about mobile devices or having to login from remote locations. For him, Windows Hello with biometric sensors was the way to go.

Eikon fingerprint scanner and SteelSeries Sentry

Surprisingly, his was the easiest and most effective of all the techniques I used, although probably not best suited for a high-security environment. I used an AuthenTec Eikon USB fingerprint scanner and a SteelSeries Sentry eye tracker, both of which work with Windows Hello on Windows 10. The fingerprint scanner is a discontinued product but for $25 it’s not a bad deal for my a 10-year-old’s PC. On the other hand, the eye tracker at $150 wasn’t exactly cheap, but this think senses your freaking eyeballs.

When he turns on his computer, the eye tracker immediately starts looking for his eyes. If he prefers, he can also choose to login with fingerprint, password, or PIN.