Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Will biometric authentication systems replace passwords?

Biometric authentication systems have gained traction on mobile devices, but when will they become dominant within the enterprise? Expert Bianca Lopes weighs in on the topic.

As biometrics adoption continues to grow, the question of whether the technology will replace passwords has moved...

from if territory to when.

But the when question still looms. Despite a number of enterprises exploring biometric authentication systems that use a combination of fingerprint, voice and behavioral scanning, many companies still rely primarily on customer-generated usernames and passwords, and they haven't fully developed or deployed those biometric authentication systems yet.

Biometrics expert Bianca Lopes sees adoption continuing beyond mobile devices, especially in light of the many credential exposures. But Lopes, former chief data officer for security vendor BioConnect, believes several steps need to be taken before biometric authentication systems can replace passwords in most enterprises.

Here, Lopes explains how she sees biometrics eventually becoming the dominant form of authentication.

Bianca Lopes: The adoption rate for biometrics has seen massive growth. It's expected that, by 2020, 100% of smartphones will have biometrics, so then it becomes a question about which populations don't have smartphones, which is a small number, and it's becoming increasingly small[er]. So you'll start to see biometrics being used every day.

I also think that the fear -- or the realization of the implications -- of password breaches is going to force changes. All of the banks I see have a password-less biometric authentication project -- every single one of them. You don't have to be a genius to figure out the potential there.

But you do have to figure out which department owns authentication. Each department thinks they own the identity of the customer or user. It's a very siloed approach within most enterprises.

I talked at the [2017] Cloud Identity Summit that we're still early [in] the conversation because it has been a secretive industry in a way. Biometrics was born out of security and law enforcement, and [a] lot of those technologies were on premises. But Apple changed the game by putting it in a convenient place for the everyday user.

Now, two things need to happen: we need better standards and protocols, and more transparency and education. For example, what is a biometric template? How does it work?

Some of your biometrics do, in fact, change over time; I age every minute of every day and my face changes every week. If you don't have what's called dynamic enrollment, then you're not capturing those facial changes. Your voice may change, and your behavior definitely changes based on context.

I think you'll start to see the coupling of biometric authentication systems with machine learning and contextual data because now we have better sensors that can pick that data up, and we can use it for identity and authentication that makes it really hard for attackers to beat. Imitating someone's behavior along with their face and their phone is going to become harder and harder.

This was last published in April 2018

Dig Deeper on Biometric technology

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Has your organization explored replacing passwords with biometrics? Why or why not?
Is it too late to educate people how to use a password manager with so they only have to remember one very good password?  Maybe banks could even offer a service where clients can back up their secure digital data like the password manager master password which can only be accessed by showing up at a branch and confirming identity with an iris check.
Biometrics have gained traction at the ‘device level’, thanks to Apple raising the bar by making including native OS based biometrics a standard feature in iphones. That’s great for consumer applications, and as a result we’ve seen adoption increase. Not so much for the enterprise. Why difference? (1) device level authentication is too ‘course grained’ for s enterprises and (2) app level biometrics is too hard. Almost no apps come with biometrics ‘out of the box’. Source code needs to change, and that brings up a whole set of barriers that bring adoption to a halt.
Agreed. App-level biometrics present an enormous challenge in the sense that it's unclear how the biometric data will be protected during transit/usage. In the case of devices, the data stays on the device (iPhone's secure enclave, for example) and isn't transmitted/stored in other apps or cloud services.
Hi. I have seen quite a few of the new bio authentication technologies. My view is that there will always be a need for 2 or more authentication factors, one of which will always be - something you know.