Is password dead? Or is biometrics the solution to user authentication?

Biometrics based authentication schemes start gaining popularity among financial institutes. A recent news report of Guardian explains HSBC’s rolling out voice and fingerprint recognition based user authentication to their customers, which follows Barclay’s deployment of voice recognition in 2013. Such moves are partly triggered by more mature biometrics techniques and partly by more and more security incident around leaked passwords. Some people start talking about now password is indeed dying, but is this really true?

My personal view is a mixed one: yes and no. While biometrics techniques are becoming more accurate and robust, they don’t come without drawbacks. A major one is privacy — different from the case of passwords leakage of a user’s biometric features mean leakage of something one cannot recover. Replacing one’s stolen identity in the biometric case will be much more difficult if not impossible. A second issue is that biometric itself does not necessarily offer the security one wishes as it is possible to spoof the system using faked biometric features, as demonstrated by Germany’s Chaos Computer Club in 2013 on Apple’s Touch ID. There are solutions to those problems, but none of them comes without their own new problems. A third issue is about the additional steps to get biometrics set up, which often cause more usability problems so that some service providers and users would not like to move to biometrics even other issues do not exist. To some extent, we can say biometrics does fix some problems of passwords, but bring its own new issues which could be worse.

Rather than consider biometrics as a replacement of the “dying” passwords, I think a combination of the two can make more sense. One way of doing so is to use a password for quick and first authentication, and then use behavioural biometrics for continuous authentication (a.k.a. implicit authentication) so that the presence of the current user is monitored continuously. This can help balance usability and security problems of both systems.

At SCCS we have researchers working on both user authentication and biometrics, and there is ongoing research about making password securer and more usable and applying behavioural biometrics for user authentication. Check our Human-Centred Security web page for more information.