Apple released the iPhone 5s in mid-2013 and brought biometric technology in to the mainstream through its Touch ID individual identification capabilities. This deployment made some researchers believe that our physical or behavioral traits such as a fingerprint, palm vein, iris, face, or voice print will at some point replace the overused and insecure passwords (e.g. ‘abcdef’ or ‘123456’). There are many who believe that as a result of Apple’s Touch ID, individually identifiable physiological characteristics will be the future mode of human authentication.
Apple’s entry into the biometrics identity management market could be the tipping point for consumerization of biometric technology leading to the beginning of the end of personal identification numbers (PINs) and passwords.
Will Biometrics Replace Passwords?
For quite some time, passwords have been the default credential for human authentication. From our personal computers to e-mails, from application software to online banking, passwords are compulsory to authenticate ourselves. In short, passwords are part and parcel of our daily life. Although the use of passwords could be argued as the most commonly used authentication tactic, they have a lot of security and maintenance challenges.
Biometric authentication overcomes some of the major challenges we usually observe in a user ID and password based authentication system, but the use of it still raises questions. If your identity is stolen you can easily get a new user ID and password but you can’t get new fingerprints.
Security analysts say user IDs and passwords became out of date and obsolete because they can be easily compromised by freely available online tools, also true for locks and keys of our home. In some cases, a lock and key are adequate for our home security, just as the combination of a user ID and password is adequate protection for our personal computers.
However, the answer on which identification method is the most effective lies in the level of risk associated with theft of the information or data it protects. A thorough risk assessment should be conducted before implementing any authentication system to determine the business impact and costs of a data breach or malicious access. Some high-risk government organizations and large scale businesses are currently deploying biometric authentication systems, where the cost of the breach would be greater than the cost of the deployment. Thus, if a database exists with large amounts of customer information or high-value financial transactions, then biometric technology would be the most appropriate solution after conducting a risk assessment.
Pros and Cons of Biometrics
In every aspect, biometric identification is stronger than traditional user ID and password based identification because it cannot be easily compromised by criminals using brute-force computing. It’s nearly impossible for hackers to steal and reverse engineer fingerprint images (a practice routinely done with computer files containing millions of passwords) because all biometric temples stored in a database are protected through strong encryption technology.
However, although biometrics offer some advantages over passwords, the technology is not 100% ideal for all environments. For example, a fingerprint scanner can be useless for a person without hands or someone with poor skin integrity.
Social, local, or technical issues can also also inhibit mass use of biometric technology. Employees might refuse to use biometric identification technology for background checks or for more accurate time and attendance. Sometimes local data security laws stand against collection or storing biometric data. On the technical side, standards are still evolving, with a number–including some proprietary ones–vying to become the dominant approach to using biometrics for identification.
Biometrics may slowly get a foothold as the default method of individual identification, but old-fashioned passwords aren’t fading away any time soon. While we are horrendous when it comes to password management, many companies are equally horrendous when it comes to protecting those passwords. Indeed, biometrics will not replace passwords by tomorrow or next week, but the best security blend of individual identification management is best decided after a thorough risk assessment.