Biometrics Should Supplement, Not Replace, Passwords


Game changers.  New paradigms.  They are everywhere.  Where can one turn without reading about disruptive change?  And yet, the dearth of innovation is a disturbingly frequent topic in blogs and business magazines.  A colleague who ran the innovation program at a multi-billion dollar company told me that most of the “innovation” ideas were actually ways to sidestep the company’s bureaucracy.

As the French say, “Plus ça change, plus c’est la même chose.”  The more things change, the more they stay the same.

That French wisdom is useful when charting the course of biometrics.  On a weekly basis, I read multiple articles and press releases announcing the impending death of passwords, soon to be overwhelmed by biometric authentication.

But here’s the real issue:  Password authentication is single-factor authentication.  Biometric authentication is single-factor authentication.  Single-factor authentication is weak, no matter what factor is used.  Moving from password authentication to biometric authentication does not make authentication stronger – it only makes the authentication less weak.  That’s an important distinction.  In either case, a successful attack requires compromise of only one credential.

Biometrics has advantages that passwords lack.  Never a problem to remember.  Sufficiently specific to a single individual.  Biometrics can vastly improve a user experience.  Although I am terrified that biometrics will make it easier to conduct online transactions while operating a motor vehicle.  I prefer that those adjacent to me on the road be fully focused on driving.  Naïve, yes, but one can hope.

Conversely, passwords have advantages that biometrics lack.  100% enrollment at the first attempt.  No specialized equipment required.  100% match of credential to the presented sample is possible and required.  Simple 24/7 replacement when lost or compromised.  Physical harm rarely if ever required to steal a password.

Passwords can be compromised and biometric identities can be compromised.  In practice, choosing passwords or biometrics comes down to use cases, not “Which one is better?”   Here is what I don’t understand:  why this enthusiasm to replace passwords with biometrics?  Why not rather supplement passwords with biometrics?  Require both.  In the security world, this is known as two-factor authentication.  Anybody who has carried an RSA SecurID fob knows exactly what I’m talking about.  When both password and fingerprint are required for logon, a false positive authentication becomes much more difficult to achieve.  Not impossible, but more difficult.  And unlike a security fob, it’s tough to lose your fingerprint at the airport security line.

In the end, any authentication process exists to lower the probability of a false positive (or in some cases a false negative) to a statistically acceptable level.  Moving from one type of authentication to another can improve the situation.  But supplementing an existing authentication with an additional process can tremendously lower the probability of undesirable results.  Rather than throwing away the protection offered by passwords, why not substantially improve that protection with the addition of biometrics?

Comments are closed.