In December we polled 165 professionals in biometrics and identity related industries about various topics from the past year. It was part of the FindBiometrics Year in Review, the longest-running and best regarded industry retrospective of its kind. Now in its 14th consecutive year, the FindBiometrics Year in Review is your resource to start 2017 off with your fingers on the pulse of biometrics and global identity management.
One of the grand promises of biometric technology is that it will one day make passwords obsolete as a form of access control—replacing the shareable, forgettable, steal-able and hack-able ‘something you know’ factor with the more personal and secure ‘something you are.’ And while biometrics are gaining traction and seeing deployment everywhere from the enterprise, to financial applications, to government e-Services, we are still using passwords, which in turn are still presenting major security risks.
For some time, the year 2020 has been touted as the likely date of death for the password. Now, with that deadline only three years away, we asked our survey respondents the following question:
Are biometrics on track to replace the password by 2020?
Here is what they had to say:
A total of 66 percent voted in the affirmative category, with some claiming that the password is already dead (a metric that benefits from some context: 47 percent of our respondents use biometrics more than five times a day). Thirty percent of our respondents sided with an alternative view, that a hybrid authentication combining passwords and biometrics is more likely, while eight percent said that they believe passwords will still be the primary form of logical access control.
Biometrics Are (Almost) Everywhere
While it is hypothetically possible to eliminate the use of passwords from one’s life today, it is undeniable that the outmoded security factor is still commonly used. That having been said, 2016 brought a great number of advancements toward the oft-championed large scale biometric password-replacement. There are three big conditionals that need to be met for biometrics to be truly viable for ubiquity—accessibility, efficacy, and large scale support—and in 2016 we saw forward momentum on all of these fronts.
In terms of accessibility, it is easy to see how biometrics are encroaching on passwords’ turf. According to the latest research from Acuity Market Intelligence, there are now 500 biometric smartphone models available on the global market, with 120 of them priced at under $150. The Windows 10 operating system also has played a role in accessibility, with its Windows Hello platform supporting multimodal biometric authentication. In 2016 multiple Windows Hello ready devices were made available, allowing for easy biometric upgrades on devices running Microsoft’s OS. FIDO Certification continued too—last year the strong online authentication consortium saw the number of FIDO Certified products grow by 200 percent.
What Still Needs Doing
Just because you have a biometric authentication solution doesn’t mean it can replace all of your passwords and sadly this is where we hit a bump in the road. Biometric login simply isn’t an option for many online services and websites. In fact, the situation online is still pretty dire here at the outset of 2017, where biometrics are still primarily a luxury of convenience when they are even supported for login. Steps are being taken in the right direction—with Facebook having just embraced two-factor support, and with Google actively aiming to do away with traditional passwords, but as it is, those of us with biometrics enabled on our devices are still at the mercy of the decisions of the companies whose services we use.
Finally, for biometrics to truly replace passwords, the technology needs to reach a level of efficacy beyond where the consumer standard is today, wherein they cannot be circumvented by weaker authentication means. As explored earlier in our Year in Review coverage, if a malicious person can access your device or account by ignoring your biometric security and simply enter a PIN or a password, then I have bad news for you: you’re only really protected by a password or PIN.
Both of these challenges—wide support and better security—do seem achievable in the next three years. Biometrics are near ubiquitous, they are becoming more advanced, and service providers are indeed coming around to enforcing post-password security (albeit at a frustratingly slow pace).
The Hybrid Future
It is possible, however, that the password will remain a part of our lives beyond 2020. Indeed, there is an attitude among some financial services providers that a customer ought to be given the option of how to authenticate, and there are some who think that passwords can still have a role to play in a multi-factor authentication ecosystem as an easy to change additional layer of security when coupled with biometrics. There are solutions that allow for this already on the market, specifically multimodal software platforms for enterprise security that can support any and all authentication factors.
With flexibility, multimodality, and user choice having taken so much of the spotlight in the discussions around the future of authentication (in nearly all of our 2016 webinar presentations experts agreed that multimodality is an industry wide trend), it seems plausible that while the password will surely diminish, and very well could be eliminated by 2020, it won’t truly be killed until service providers and device makers stop offering it as a security option. The post-password future is achievable and within grasp, but it might need to be enforced.
Stay posted to FindBiometrics throughout January as we continue to breakdown our Year in Review 2016 results.