Ask the Expert

Will biometric authentication replace the password?

Because of the many password-cracking techniques being used today and the complexity necessary for passwords, do you think biometric information will ever completely replace the password?

    Requires Free Membership to View

Biometric authentication isn't the ultimate solution to all authentication problems. Though stronger than user IDs and passwords, it too has flaws and, in some rare cases, can be breached.

First, let's review where biometric technology sits in the pecking order of authentication. The recording of biometric data is considered a multifactor authentication mechanism. In authentication, there are three factors: something you know, as in a user ID and a password; something you have, such as a smart card or a onetime password (OTP) token; or something you are, like in a physical characteristic.

Biometric authentication tools record a unique physical characteristic of the user, such as a fingerprint, iris scan or facial pattern. Typically the user will have a user ID and password in addition to a biometric logon. Here is a textbook example of two-factor authentication: something you know combined with something you are. Biometrics is then part of a defense-in-depth strategy that protects system access. If one factor is cracked, the other, hopefully, will still block malicious access.

But fingerprints can be spoofed, and images of them can be stolen, just like user IDs and passwords. The same can be said for a system based on facial recognition. A photograph of the user could be used to fake out the system, if the machinery is not properly configured.

There are other barriers to the growth of biometric authentication. First, it's difficult to compare systems equally, particular for analyzing costs and implementation in an enterprise architecture. A fingerprint reader, for example, is set up differently than a voice recognition system or an iris scanning machine. Biometric technology is difficult to implement and requires a heavy investment in hardware and software, more so than simple password systems. Third, there is the question of customer acceptance and ease of use. Many people would be squeamish about looking into a beam that measures the iris.

Security observers say user IDs and passwords are obsolete and can be cracked with readily available online tools. But the same could be said about locks and keys for homes and offices. In some cases, a lock and key are adequate for some homes, just as the combination of a user ID and password is adequate protection for some computer systems.

The answer is in the level of risk. Before implementing any authentication system, a thorough risk assessment should be conducted to determine the business impact and costs of a data breach or malicious access. Biometric authentication is only warranted for high-risk systems where the cost of the breach would be greater than the cost of the system, If there is a system with large amounts of customer information or high-value money transfers, then biometric devices may be appropriate.

Biometrics may slowly get a foothold, but old-fashioned passwords aren't fading away any time soon.

More information:

  • See where biometric authentication technology is headed.
  • Should biometrics information be guarded with strict privacy regulations?
  • This was first published in February 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: