Why Biometrics Won’t Replace Passwords Any Time Soon

This week sees the annual Mobile World Congress take place in Barcelona, one of the biggest events in the global technology calendar. This year has already again seen a number of exciting technologies and innovations surface in the mobile technology space, including new phones from the likes of Microsoft and Sony to Google announcing a new wireless surface.

Another area which has been ripe with announcements is the security sector. Notably, Fujitsu has announced that it has managed to create a smart eye tracking device that can recognize each user’s unique iris, taking biometric authentication a step further than the current de-facto fingerprint scanners we find on many of our devices. This latest take on biometric authentication will require the appropriate hardware to run, so don’t expect to see it on your smartphone any time soon. However the real question is this. What are the pros and cons of biometric authentication?

Biometrics Dashlane

There are traditionally three classes of authentication factor: knowledge of a piece of information (passwords, PINs, or secret questions); ownership of a physical device (tokens, cards); and an inherited physical characteristic (iris signature or fingerprints).

Enterprise or government systems that store highly sensitive information often use a combination of multiple factors of authentication that combines two or three factors among these three classes. For convenience, most consumer websites rely on single-factor authentication based on login details and passwords.

Biometrics’ main advantage is that they can solve both identification (assessing your identity) and authentication (confirming your right to access something). On paper, biometrics is a great way to prevent identity theft and various kinds of fraud. The argument goes like this: “My credit card number and passwords can be stolen, but not my fingerprints.”

The problem is however that this premise has already been broken. Biometric authentication can be hacked, as can any other form of authentication. Last year, hackers from the Chaos Computer Club managed to reproduce fingerprints of the German Defense Minister from high resolution public photos and they know how to use them on consumer phones biometric sensors. On the lighter side, there have even been reported cases of “Sleep-Jacking”, when someone opens a person’s device using their fingerprint by placing the device on the sleeping persons authorized finger.

Unlike passwords, biometric data that has been stolen cannot be changed: you cannot replace your stolen fingerprints with a new set. Even worse, if all your accounts were protected by the same stolen biometrics information, they would all become vulnerable at once. Biometrics authentication has other major limitations: it cannot be shared and it cannot be made anonymous. Sharing login data or using it anonymously is something increasing numbers of internet users do.

This is not to say that biometric authentication cannot be useful. As an additional layer of authentication, biometric authorization can provide another useful layer of security, particularly when using services which are especially sensitive like our bank accounts. However, the use of strong passwords as the main foundation will build up a stronger defence against breaches for the following reasons:

  • Passwords can be stolen, but if you use one unique password per website, the damage does not spread to other sites, as opposed to unique biometric data which is by definition the same everywhere.
  • Passwords can be shared, which is a necessity within groups of people such as families and work teams. Think about the Netflix account at home or the corporate Twitter account in a company. You cannot share your fingers or your eyes with someone else.
  • They preserve a kind of anonymity, a key attribute of the internet. Think about Twitter without anonymity.

Of course an effective password management strategy (unique, randomly-generated passwords) is tough to apply given the number of different accounts we now use on a daily basis. This is why many of us now use passwords managers like Dashlane to solve this problem effectively and with more ease than trying to do it yourself. Biometrics as a technology is a fantastic innovation with many useful applications. However, in its current guise, a password-killer it is not.

Want to get the low-down on some of the other latest developments in the security world? Check out our new Medium page here.

  • John Frog

    Good points about biometric limitations. If you will permit a newbie question, can chip technology and biometrics COMBINED deter hacking.