Just to get something out of the way, I freely admit that I don’t really understand passkeys (which doesn’t bother me as much as it probably should, given that every organization / web page / whatever seems to be going about it their own way). So that’s not my question.
Since it looks I’m going to need biometric input at some point, and only one of my computers has a camera, a fingerprint reader would seem to be the logical choice. But when I started looking into them, I got even more confused than my norm. While every one appears to be compatible with “Windows Hello,” the ones I’ve seen appear to mention different standards (so far I’ve seen FIDO U2F, FIDO2, TEC TE-FPA2 and TE-FPA-CA1). What concerns me is that when you have different standards, you tend to have incompatibility; and I’m just looking for something that will work in the widest range of situations. So I’m hoping that someone could shed a bit of light on the subject — or tell me that it doesn’t matter.
I’m not necessarily looking for recommendations, but if you have one, bear in mind that I’m looking for something that would plug directly into the USB port and sit flat against the case rather than something on a cord.
As always, thanks in advance for any information or suggestions.
The different standards define how ‘accurate’ the fingerprint reader is – how sure it is the person they say it is.
Do you need the fingerprint reader just to log into Windows on your personal computer or to access online systems (e.g. bank accounts for work, etc.)?
Since they all support Windows, any of them will let you log into your personal computer. However if it is for a work computer or an online system, then they might require a higher level of authentication.
Thank you, you’ve clarified my inquiry greatly. Grazie. And it makes sense that logging into a bank would require more accuracy than logging into one’s home computer.
(I used to be able to delude myself into thinking I was quite tech-savvy. But even before I retired from an IT career that started during the dying days of punch cards I realized that I was falling behind — and topics like this make me realize how much behinder I’m getting.)
So, my situation: home computers — Windows & Linux — no passkeys yet but I feel I should be prepared when they become the preferred (or required) access method. Targets would be commerce, banking & investments and social media. Does that help?
Can I ask what your end goal is here…? Why are you interested in adding biometrics to your computer?
I’m not sure about the nuances of the different security level standards, but some thoughts:
You do not need biometrics to use passkeys. They work just with your existing unlock. I use a ton of passkeys and have no biometrics.
Passkeys are entirely optional anyway and probably will be that way for a while; they do not replace passwords, at least not yet (edit: honestly, they probably never will… they identify a device or an account, not a person, so you’d still need some way to prove ownership of the device or account anyway… passwords are the easiest way to do that). They’re kinda like a better, more convenient alternative to 2FAs.
Is this for a desktop computer? It’s totally normal that you don’t have a fingerprint scanner or other biometrics. It’s fine to just use your password/PIN. There’s no reason to go out of your way to add biometrics if your computer didn’t come with one… the biometrics don’t necessarily add any more security over traditional time-based 2FA or a passkey.
If you absolutely want biometrics for some reason, you can consider getting an actual physical security key with a built-in fingerprint reader (like a Yubikey) instead of just a fingerprint scanner. Then you get a physical key and fingerprint scanning in one, for triple-factor authentication (something you have and something you are). The downside is that if you lose that thing, it’s gonna be a pain in the ass…
IMHO, for regular home use (i.e. you are not being forced to add biometrics by your company), you’d be better off skipping biometrics altogether and just using a regular password manager (like 1password or Bitwarden) with strong, randomly-generated unique passwords for each website. Or the built-in password manager in your browser would be fine too.
Passkeys don’t require biometrics, at least not in their typical current implementations. Passkeys are a more seamless way for your computer and a server to authenticate each other, NOT a way for your computer to authenticate you.
i.e., it’s a two-step process:
First, you authenticate yourself to your computer via some combination of password, PIN, biometrics, time-based 2FA, or a physical security key.
THEN, once your computer believes it’s you, it will send a passkey to the website/app.
So adding biometrics would just give you one more way to do #1, but you don’t HAVE to do that just for #2. You can keep using a password, PIN, or another existing unlock method, to prove that you’re you. Then, once you’re “in”, your computer sends the passkey for you.
The two steps are completely separate; you don’t need biometrics to use passkeys, and adding biometrics won’t magically add passkeys for you.
So what are you trying to improve or fix? If you want passkeys, go ahead and start using them anytime you want — you don’t need additional hardware for them. If you want biometrics, yes, you can add a fingerprint scanner, but you’d still need to separately add passkeys. Neither one is a requirement of the other.