Back in 2004 Bill Gates predicted the death of the password, the reason for their downfall being that they are unable to ‘meet the challenge’ of keeping data secure. Fast forward eleven years and some may speculate that this has finally come to fruition.
With the launch of Microsoft’s Windows 10 last night came the announcement of Windows Hello – a new security feature based wholly on biometric authentication. Users are able to unlock their devices through facial recognition, and iris and fingerprint scanners – apparently rendering pin codes and passwords obsolete. But can biometrics really replace passwords?
Biometric security definitely has its merits. It’s main advantage is that it solves both identification (assessing your identity) and authentication (confirming your right to access something). On paper, it is a great tool to prevent identity theft and various kind of frauds. But it does have its limitations.
Firstly, biometric authentication can be hacked as any other form of authentication. In late 2014, hackers from the Chaos Computer Club obtained high-res photos of the German Defense Minister’s fingerprint and reconstructed an accurate print that fooled fingerprint based security systems. And unlike passwords, biometric data that has been stolen cannot be changed: you cannot replace your stolen fingerprints with a new set.
Even worse, if all of your accounts were protected by the same stolen biometrics information, they would all become vulnerable simultaneously. Biometrics authentication also has other major limitations: it cannot be shared and cannot be made anonymous. Sharing login data, or using them anonymously is something more and more Internet users do.
Biometric methods do makes sense as an additional authentication factor but as we are starting to see, they also have strong limitations that make them an unlikely successor to passwords. Whereas, passwords, if used correctly (one strong unique password per website), have a number of advantages:
– They can be shared, which is a necessity both within families and teams at work. Think about the Netflix account at home or the corporate Twitter account in a company. You cannot share your fingers or your eyes with someone else
– They can be stolen but if you use one unique password per website, the damage does not spread to other websites, as opposed to unique biometric data which is by definition the same everywhere
– They preserve anonymity, which is a key attribute of the Internet. Think about Twitter without anonymity
Any move to boost consumers’ online security, such as Windows Hello, is obviously welcomed. But until the benefits of biometric authentication incorporate and improve on those of a password, it won’t replace password as the de facto standard of online security. The benefits must also generously offset the cost of switching from passwords to biometric authentication, and a sufficient amount of time also needs to pass for massive universal adoption it.
Of course humans can no longer perform all the tasks related to safe password management: random generation, encrypted storage, memorization, changing passwords. We just have too many accounts and too many devices for that – the average UK consumer now has over 100, which is set to almost double by 2020. That’s why more and more Internet users are relying on tools like a password manager that can do this for them.
Some see passwords as a temporary system that will be replaced by a very sophisticated authentication system very soon. That may be true but by the time we get there, we will all have been hacked many times over.