Find out if Face ID and Touch ID will make the world move beyond the password.
Face ID. Fingerprint biometrics. Access to a device through detection of typical user patterns.
Science fiction has taught entire generations of tech entrepreneurs that the future will be password-free. Many security professionals are happy to call every new authentication technology a “password-killer.”
But are they right? Will biometrics or behavior analytics replace passwords? Many of these “password-killer” technologies already enjoy widespread use. Why aren’t they taking the world by storm the way touchscreens did in the late ’00s?
It turns out that passwords offer much that biometrics do not. Although new security technologies will become an increasingly important part of the secure IT ecosystem of the future, there will almost certainly always be room for a strong password.
What New Technologies Can—and Can’t—Do
Before talking about why the password is here to stay, we should cover what exciting new security technologies are out there and what their benefits and drawbacks are.
1. Facial Recognition
Facial recognition became an extremely popular authentication technology with the release of Apple’s iPhone X and Samsung’s competing Galaxy series of mobile phones. Facial recognition feels secure since it seems ridiculous to believe that a hacker could steal a user’s face without them knowing about it.
However, facial recognition comes with its own set of problems. In August, hackers at the Black Hat security conference in Las Vegas proved they could break into an iPhone’s FaceID in under 120 seconds, using a pair of glasses, tape, and either a sleeping or unconscious user of the iPhone. It highlighted a flaw in the liveness detection function Apple employs for unlocking your iPhone through FaceID.
2. Fingerprint ID
Fingerprint authentication is another popular option for mobile device users, and has become a way for users of newer laptops to unlock their device. Ever since fingerprint analysis made its way into forensic science, people have naturally gravitated towards the idea that we can securely identify and authenticate people by their unique fingerprints.
However, this assumption may not be entirely true. Although every individual does have unique fingerprints, fingerprint data is as vulnerable as any other kind of information. It can be hacked, leaked, and compromised by cybercriminals the same way any data can. The crucial weakness of a fingerprint-based security system is that it cannot be reset. Compromised users cannot grow new fingers.
Since biometrics cannot be updated, hackers will simply focus their efforts on compromising computer systems that hold biometric data. This undermines the entire concept of the biometric security system, making it fail permanently for the users affected. This is not a hypothetical case—it already happened to 5.6 million people in 2014.
3. User and Entity Behavior Analytics
One of the most fascinating new security concepts to come out in the last decade is user and entity behavior analytics (UEBA). This technology identifies and authenticates users by learning what constitutes “normal behavior” for that particular user.
For instance, a UEBA-powered smartphone might notice that its user is right-handed and typically swipes with two fingers instead of one. A UEBA-powered desktop computer would notice the difference between a two-fingered typist using the “hunt-and-peck” technique and one that tops 60 words-per-minute.
This technology can be useful in a multiuser environment, especially for identifying insider threats and compromised accounts.
Consider, for example, a data entry employee who takes typing lessons to improve productivity. A UEBA-powered system would continually lock this employee out of the system until an IT administrator could reset the parameters that the system is looking for. While useful in some circumstances, user behavior analytics do not offer the combination of permanence and flexibility that passwords do.
Nothing Stronger or Cheaper Than a Good Password
A strong, secret password remains the most effective way to identify and authenticate users in a business context. When used correctly, passwords protect sensitive data in ways that “password-killer” technologies simply cannot.
Importantly, password-based security systems succeed at their objectives without requiring any additional hardware investment. There is no need to install cameras, fingerprint scanners, or UEBA-enabled interfaces in order to guarantee best-in-class access control for sensitive devices and data.
These factors all combine to establish a comfortable place for passwords in the near future. Even if a true “password-killer” technology bursts onto the scene in the next few decades, the need for robust, cost-effective security ensures that good password policy will remain a fundamental part of every organization’s security framework for a long time.