Biometric Authentication and Passwords: Comparing Apples to Oranges
By André Delaforge, Head of Communication Advisory Committee, Natural Security Alliance
It has become standard practice to try to position biometric authentication relative to passwords. But we believe it is extremely hard to compare the two technologies because they serve different purposes and follow completely distinct approaches.
They do, however, share a few common traits. For example, you could say that neither passwords nor biometric authentication are in and of themselves secure, that their strength comes from being used in tandem with another factor. This other factor is a secret, preferably hidden in a secure object such as a SIM card or the chip of a bank card, which allows the user to cancel the object if he or she loses it. It is the combined use of biometrics with this second factor that guarantees that the user is actually present during a transaction or when accessing an online service.
So what will drive users to adopt biometric authentication in 2015? In an increasingly digital world, authentication has become a fundamental act. It is what enables us to connect to the cloud or digital vault that stores our confidential information (e.g. bank details, payslips, tax assessments) and personal files (e.g. vacation photos). On a more daily basis, it is what enables us to connect to webmail, access online banking, shop online and connect to social networks.
As more services become available online, we are required first to remember a growing number of passwords—often in different formats (e.g. special characters required or not allowed)—and then to change them on a regular basis. Password management software is a compelling option, but it does not resolve the problem of how to authenticate the actual person behind the device. For example, given that malicious hackers and identity thieves are capable of accessing all of a user’s online services, how can you make sure that it is actually the legitimate user connecting via SSO or using the password manager?
This is where biometrics truly shines: by providing fast strong authentication that is inherently tied to the individual user him/herself, it genuinely meets the user’s need.
A meaningless comparison that should not obscure the high stakes involved in authentication
The ongoing debate around passwords versus biometrics offers an opportunity to step back and look at the major questions we should be addressing early in 2015. The first question is why, whether we like it or not, biometrics has become a feasible technology, both practically and in public opinion.
With the need for authentication growing across the board and even emerging in new situations, biometrics can no longer be overlooked. A recent study conducted by the British Home Office as part of its National Cyber Security Programme revealed that users must remember an average of 19 passwords. On top of that, the everyday act of entering a complex password is tricky on a mobile phone or tablet. Mobility actually introduces a number of new challenges for authentication, including typing with one hand, on public transportation, in front of large crowds or, on the opposite end of the spectrum, from the deep recesses of a comfortable couch. The rule of simplicity (liberally derived from Occam’s razor, which posits that the simpler of two competing theories should be preferred) suggests that users will prefer the easiest way of doing something or the easiest technology. For example, users seem to have a harder time using a mouse now, and the keyboard shortcuts that were so popular a few years ago have become all but obsolete. When it comes to strong authentication, then, it follows that users will prefer fast, simple biometric authentication over complicated passwords. Since simplicity and the user experience are a key factor in adoption of technologies, it seems hard to move backwards. As Dave Birch (Consult Hyperion) observed, once users have grown accustomed to biometric authentication they will not be able to go back to a traditional system that requires them to enter an ID and a complex password.
What this means for the industry and for users
The authentication market is clearly developing around a few key actors, all based outside of Europe. Furthermore, since controlling authentication means controlling both client access and access to clients, authentication is set to become the gateway to all electronic transactions in the same way that Google has become the gateway to most internet searches.
Europe therefore needs to define strong authentication methods that users can easily adopt (e.g. fast, easy to use), that meet business requirements and that can be easily adapted to new situations. If Europe does not establish a strong position, we may see the emergence of a new Google in the world of authentication, a dominant gatekeeper for online services.
This is why we need to facilitate the development of strong authentication methods, especially ones that can be used to define an implementation standard for biometrics that is:
- Open: based on specifications available to all manufacturers instead of proprietary technologies.
- Part of an evaluation and certification scheme (e.g. the Biometrics Alliance Initiative’s biometric technology evaluation and certification program) that relies on testing by independent laboratories.
- Compatible with services requiring strong authentication (e.g. payment, access to online services).
- Able to securely protect authentication data.
- Compliant with recommendations issued by regulatory bodies (e.g. banks, data protection and privacy commissioners).
- Conducive to the development of ecosystems and local value creation.