Can we replace passwords using biometrics, such as fingerprint or face recognition ?
Many people are using biometrics authentication method in our daily life, since they are convenient and easy to use. Slowly, you may have a perception that fingerprint or face recognition may replace your passwords one day. But you may be wondering, why this hasn�t happen yet? Every time, you reboot your mobile phone, the system will ask you for password to unlock your phone first, and then, you can use your fingerprint. If you want to turn on fingerprint or face recognition on your phone, you have to setup a PIN for the screen lock fist. Why the systems want to tie biometrics authentication together with passwords? The reason is biometrics authentication cannot replace passwords. Let�s have a look at the characteristics of biometrics authentication first.
Unique and immutable
Biometrics is unique and immutable information of ourselves, thus, they cannot be faked. As they cannot be faked or changed, we will be stuck in a dilemma if they are stolen by someone. From this point of view, biometrics is not safer than password. Biometrics and password have their own advantages and disadvantages, and cannot be replaced by each other.
Reliability
There are many factors that can affect the result of biometrics authentication. For example, humidity can affect the accuracy of fingerprint detection. I often heard the complaints from my friends that they always have problems to use fingerprint in autumn or winter. That is because the humidity in autumn and winter is low, so their fingers are too dry for the fingerprint sensors. Face recognition and iris recognition are also facing the similar issues, i.e., they can only be done with enough light. Therefore, biometrics authentication cannot be used alone as the reliability can be affected by many factors.
Comparison method
We can easily understand that biometrics authentication and password based authentication use different comparison methods. The comparison of password is very simple and accurate. The result can be either success or failure. The techniques used by biometrics are similar to image recognition. There is not a straightforward result of success or failure. Image recognition can only judge whether the level of similarity is within certain range or not. According to the degree of similarity, it tells you roughly on success or failure. This is another reason why biometrics authentication is not reliable enough.
Device dependency and complex data structure
Biometrics uses a much more complex data structure comparing to password. The data generated by the fingerprint sensor is defined by the vendor which cannot be used on other devices unless they are from the same vendor. This makes the fingerprint data device-dependent. Actually, other biometrics, such as iris recognition, also has the same problem. Therefore, the biometrics data cannot be used for authentication directly due to the compatibility issue. For example, the same fingerprint may generate different data on Android and iOS systems.
Well, how can we resolve the compatibility issue? Let�s say a banking application, if you want to turn on fingerprint, you have to login to the app using username and password first. When you turn on fingerprint from the setting of the app, the app will store authentication information in the secure storage of the device. This authentication information could be your username and password or something that the app can use to communicate with the application backend. The secure storage is device-unique which could be Keychain on iPhone or Keystore on Android. The data in the secure storage are isolated at the application level. One application cannot access the data stored by another application. The next time when you login to the banking app using the fingerprint, the system will unlock the secure data and the app will use the stored information to communicate to the application backend. That is, you actually provide your authentication information through fingerprint, but you are not using the fingerprint data to authenticate with the app directly.
Authentication information can be anything about you
Authentication information can actually be anything about you besides passwords or biometrics data. For example, you may need to provide your name, card number and date of birth so as to report the loss of your credit card. You may need to provide your username, ID card number and the remaining balance in your account in order to restore a locked PayPal account.
Right now, many banks have replaced the traditional counters with intelligent counters. When we use these intelligent counts, do we have all the data needed to perform the transaction? Facing the future, we have to organize our personal information nicely in order to deal with the challenges in our digital life.
If you are interested in the personal information management, please add PassXYZ Wechat public account by searching the keyword PassXYZ or link it using Wechat name passxyz_kpclib. You can also find more information about PassXYZ on its website and install it from Google Play, Apple Store or Microsoft Store.
For Windows 10 users, you can now get a free version of PassXYZ following the steps below:
1. Added PassXYZ Wechat public account
2. Send key word UWP to get a registration code
3. Install PassXYZ from Microsoft store using the registration code (200 users can use this code)