When it comes to computing, passwords have been with us since the very beginning. The very first logins were set up as part of MIT’s Computer Time Sharing System in 1960, and as computing hit the mainstream, passwords became an established part of our lives.
However, the beloved password isn’t without its flaws, and as technology becomes more advanced, its problems are becoming increasingly evident. Worryingly, Verizon’s 2016 Data Breach Investigations Report (now updated) found that 63% of confirmed data breaches involved weak, default or stolen passwords, and that breaches were typically exacerbated by consumers opting to reuse passwords, or share them with family and friends. Given that the most commonly used password is ‘123456’, most dono’t present much of a challenge to savvy phishing and hacking attacks.
Enter biometrics. For a long time, biometric authentication – identity verification based on measurable biological traits – has been considered the technology most likely to supplant passwords. Directly addressing the weaknesses of passwords, biometric measures are secure, they don’t tax your memory or rely on your ability to keep them secret, and you can’t lose, forget or share them. Many banks have already begun to implement biometric security procedures, with consumers now using all types of digital banking technology, including HSBC’s voice recognition system, Mastercard’s selfie payment technology, and Barclays’ finger vein authentication technology.
Nonetheless, as with passwords, there are challenges. For a start, implementing biometric security measures can be costly and complex – a significant hindrance to any business. Additionally, most biometrics are not black and white: When we enter a password, it’s either right or wrong, with no margin for error. Biometrics, on the other hand, say how likely it is that somebody is who they claim to be and need to be tuned.
Finally, and most importantly, biometrics cannot be reset. Once a security breach has occurred, there’s no turning back. People can’t change their tone of voice or their fingerprints, and we’ve already seen security measures hacked with very little effort.
A lot of work is being done to try to make biometrics more affordable and less susceptible to breaches. One potential option is through exploring behavioural measures that, unlike physical attributes, can be reset. Moreover, two-factor authentication (2FA) systems offer another alternative. By combining a password and something you ‘have’, such as a mobile device, you can create a robust process that could extend the life of password authentication into the foreseeable future. And, while it lacks the convenience of the traditional method, it’s a step in the right direction in providing a highly secure, easy to use and resettable process.
Ultimately, it’s becoming clear that current password processes aren’t working well enough or doing what they’re designed to do, which is protect us. They need to be improved. By combining stronger password authentication with efficient monitoring of unusual behaviour, and with the added security of biometrics through financial services technology, consumers can continue to enjoy the considerable advantages of a low-cost, simple and secure digital customer journey.
- Read more on this topic in Simon’s white paper, ‘Your body won’t replace your passwords‘.
- See also Patrick Brusnahan’s article, ‘Can passwords be replaced by the human body?‘.