Why Biometrics Are About to Put an End to Password-only Authentication

We’re about to witness a death, and no one but the bad guys will wail. The end is nigh for password-only authentication, the anemically weak and long outdated, mainstay security measure that’s been a pox to consumers, companies, and governments.

What is going to deliver coup de grace? Biometrics.

No, fingerprints, facial, voice, iris, and even vein recognition won’t put an end to the myriad security threats we’ve suffered time and again. But teamed with other measures, this who-you-are technology’s time has arrived. In fact, the only reason biometrics aren’t in widespread use already, contends Brian Witten, the global director of Symantec Research Labs, is that organizations haven’t recognized how easy and inexpensive it is to deploy.

IT could use the help. Business users continue living in fear that their passwords and identity will be stolen, or that their IP will get put at risk. Even though ecommerce has burgeoned with advances in connection speeds, the cloud, and delivery logistics, few, if any, websites use biometrics - even as the occurrence of headline-grabbing data breaches continues unabated with a third of all businesses now having suffered security losses.

But several dynamics are converging that are expected to bring biometrics into widespread use.

Falling Obstacles

The most powerful among them is mobile. Before Apple introduced the first fingerprint reader with the iPhone 5s in 2013, biometric readers were expensive, standards were sparse, and systems rarely interoperable. Others quickly followed suit, including Samsung. As smartphone makers pressed the technology, they also created a secondary, salutary effect, shifting the cost to consumers, amortizing and lowering the financial barriers to deployment.

The tit-for-tat competition among smartphone makers has created a biometrics boom. By 2016, 40% of the 1 billion smartphones in the market came with biometric recognition; by 2020, it’s estimated that 100% of smart mobile devices will include embedded biometric sensors as a standard feature. Now that Apple and Samsung have introduced facial recognition to their flagship iPhone X and Galaxy 8S, it won’t be long before facial recognition becomes a staple, too.

Smartphones signal something even bigger and broader. The very nature of computing is changing, and that, too, spells the end of passwords, and perhaps even altogether.

“Roll the clock forward,” says Symantec’s Witten. “We’ll be wearing computers on our wrists and they’ll be in our glasses.”

Who knows where else they’ll reside. What we do know is this: We won’t be using keyboards to operate them. The logic is simple enough – no keyboards, no passwords.

Witten says one other wall to deployment is falling, too. Symantec has compiled several strong-authentication technologies into its cloud-based VIP service, which allows enterprises to use APIs to protect access to sensitive data and applications anytime, anywhere, from any devices. VISA International launched a similar service last October, called VISA ID Intelligence, aka VIDI, a “platform” that allows banks and merchants to adopt third-party authentication technologies using APIs and SDKs.

There are other signs that an inexorable move toward biometrics is on. Mastercard allowing its users to complete transactions by using a fingerprint and facial recognition is the form of a “selfie.” Aetna, the giant medical insurer, has disclosed plans to replace passwords completely by 2018, using pins, fingerprints, and “behavioral” biometrics, which adds a fourth tenet to authentication, namely what you do such as the way you move your mouse. Barclays Bank promises to take biometrics even further by using vein-ID, the uniquely characteristic ways your blood vessels are arranged, a means of authentication harder to “trick” than fingerprints or faces.

But the proof for widespread adoption comes out of India and its Aadhaar ID program, which has provided 1.3 billion of its citizens with a unique identifier based on fingerprint and iris scans. That’s helped pave the way for the vast majority of Indians to open bank accounts, even when they may not have a birth certificate or license.

Make no mistake. Biometrics, used as a sole method of authentication, is not to be viewed as a panacea. Hackers have reportedly demonstrated proof of concept examples of how to fool Apple’s facial recognition technology with a mask made on a 3D printer. Most of all, biometrics, by themselves, also breach two cardinal rules of strong authentication. One, they’re not secret. Two, they can’t be changed if compromised.

Finally, biometrics need to be considered against the practicalities of convenience and sheer computing power. For the sake of both, a smartphone holds just enough fingerprint data to assure a fast response and, more importantly, a one-in-10,000 chance of making a mistake, or, as security pros call them, a false-positive or false-negative. Those odds seem long – until you scale them. That means for every 1 billion fingerprints smartphones authenticate, a million could be wrong.

Despite any downsides, though, the use of biometrics is inevitable. Teamed with other authentication factors the technology promises a soon-to-arrive future where the time-worn, all-too-porous password-only approach to authentication will become a thing of the past.

“The bad guys have been ahead of passwords since the 1980s,” according to Symantec’s Witten. “You can’t stand still for 30 years without consequence.”