For anyone who was paying attention, it was clear from the outset of the internet that as it increased exponentially in size, the number of accounts and therefore passwords we would need would only increase with it. The “work email and home email” passwords would quickly be lost in a sea of online shopping accounts, social media accounts, website passwords and so on. This led many to think that passwords were doomed, as the sheer number of them made them impossible to remember.
For well over a decade, the same story has repeated itself time and again: passwords are in their death throes, and biometrics is on its way to becoming the be-all and end-all of authentication. Yet the reports of the end of passwords have been greatly exaggerated, or indeed completely fabricated.
When I went to my first RSA conference in 2007 to talk about how to solve the then oncoming problem of password overload, I was met with the assumption that passwords were on their way out. Biometrics, I was told, had finally arrived. And bowled over by seeing so much impressive gear in one place along with their enthusiastic evangelists, I was almost tempted to believe the hype. Partly I blame science fiction—watch enough films with people subjecting their eyes to ID scans and you start to believe that that is the way the world is headed is a hurry.
Time has passed since then, and I have only felt more and more vindicated in sticking to the well-trodden password route. Affordable, reliable biometrics has remained a philosopher’s stone for the security industry. However secure it might be, the problems of convenience mount up: dirty fingers, the deterioration of the skin with age, the simple fact that if there is a breach there is practically very little you can do to get past it: you can’t reset your finger.
And then there is the security itself. Yes, biometrics does provide something completely unique to you. But this can be copied relatively simply. Earlier this year, security firm FireEye demonstrated a fingerprint hack at the RSA conference, showing how they could intercept your biometric data before it hits your devices’ secure zone. Or there was the embarrassing case in 2013 in which Chaos Computer Club broke into an iPhone 5S by simply scanning a fingerprint with a domestic scanner. In another recent case, security researcher Jan “Starbug” Krissler claimed he could bypass iris scanners just by holding up high-resolution printouts to the camera.
While these problems can feasibly be overcome, there is no getting around the fact that you can’t change what you’re born with. If your password is breached, you might rant and rave and curse the breached company, but at least you can change the password and resume normal life. In the supposed utopia in which biometrics have replaced passwords, breach of your fingerprints leaves you compromised for life.
Multifactor authentication seems more likely to be the future, a kind of Greek phalanx effect in which each security option covers the weakness of the other. The “what you have, what you know, what you are” solution includes a piece of hardware or a physical key, a password or security question, and something biometric. This dramatically increases the user’s security more than any single factor—no matter how secure you believe that one factor to be.
The essential fact about a password is that it is an easily changeable and specific identifier for an individual. This fact is as useful now as it as it was to Roman soldiers entering camp two thousand years ago, and as it will be most likely be for another two thousand years.