For years, security experts have told us to use strong passwords and a password manager. Both are good practices, but the next level is fingerprint ID and two-factor authentication. This year, Google launched two Nexus phones with fingerprint sensors and relatively aggressive price points, and two major companies started offering two-factor authentication to enhance your password security. Since most people's password habits seem to be pretty terrible, these two industry shifts may help protect us against ourselves. You need to know how they work and why they fit into your Internet regimen, so that you can better protect your personal info.
Fingerprint sensors have been around for decades, and in the last couple years they've come to mobile phones. With the sensors, you can press your finger to your phone -- rather than a PIN or a password -- to unlock it, to automate password entry, and to authorize purchases. Fingerprint ID isn't 100 percent secure, as fingerprints can be lifted and even re-created from high-resolution photography, as German defense minister Ursula von der Leyen discovered last December. But there is no perfect method for protecting access to your devices, and for regular folks who don't meet with Chancellor Merkel, fingerprints are easy, reliable, and not likely to get stolen.
And fingerprints aren't just for unlocking your device. Password managers such as LastPass (Windows, Mac, Android, iOS) can use your fingerprint in place of your master password, and Google Wallet can use it to authorize a purchase. If you use a password manager a lot -- we have some picks if you don't -- being able to access it quickly gives a big boost to your mobile experience. If you've set up the Google Play Store to prompt you for your account password every time you purchase something there, you can now blow right through with a single tap.
High cost of entry
Of course, there's a catch. Right now mobile fingerprint sensors are not widely available on inexpensive phones. If you want to a phone with fingerprint ID -- like an iPhone 6S, Samsung Galaxy S6, or LG V10 -- you must either sign up for a two-year contract to reduce the initial cost of the device or else pay $500 or more for an unlocked model.
There are a couple exceptions, such as the OnePlus Two and the LG Nexus 5X. But the OnePlus Two is missing NFC (near-field communication) -- which you'll want for things like mobile payment at retail stores [link to pay vs. pay], contact sharing, and device pairing. And the 5X is thoroughly overshadowed by its bigger sibling, the Nexus 6P, which has a nicer screen, stereo front-facing speakers, more available storage space, more memory, and better camera processing. However, we've seen the 5X marked down by as much as $80 during the Black Friday phase, bringing it down to $300 for the 16GB model, at which point it's definitely worth a look if you don't need a lot of storage. This is still a relatively high amount of money just to get a phone with a fingerprint reader.
On the other hand, the 5X and 6P are also compatible with Google's Project Fi, which offers discounted access to Sprint and T-Mobile cell networks for people who don't use a lot of data; the default option of $50 per month gets you unlimited talk and text, plus 3GB of data, and you get an account credit for the data you don't use. So while the compatible phones aren't cheap, you may save money in the long run by switching to Project Fi, assuming that it's available in your area.
If you're trying get a phone for less than $200, arguably the only candidate is the Asus Zenfone 2, which doesn't have the sensor we're looking for. The head of Asus said in March that the Zenfone 3 will get one, and OnePlus may put NFC back in its next phone, though it hasn't made any public statements about that yet. Until then, the options aren't very good for people who want to avoid long contracts and high price tags.
Password enhancement for the rest of us
You may not be able to afford a phone with fingerprint ID, but anyone can sign up for two-factor authentication (2FA), also known as two-step verification, on sites ranging from Amazon to Gmail. The most common form of 2FA sends an SMS text message to your mobile phone after you've entered your username and password. This message contains a four- to six-digit code that you must enter to complete login.
If you don't want to verify via texted codes, other options include a code sent to an alternate email address or to another app like Google Authenticator (Android, iOS). The advantage of the Authenticator app is that your device doesn't have to be set up to receive SMS messages, so an Android or iOS tablet connected to Wi-Fi is just as good in a pinch. Having an alternate 2FA method is also helpful if your device gets lost, damaged, or stolen.
Fingerprint ID is sci-fi cool and fast. 2FA actually adds a step to your login process and therefore slows it down. But both methods act as a backup lock for your online account info. Even if someone nabs your password, your info will be safe.