A simple Google search in the last week of the terms ‘biometrics’ and ‘password’ will result in thousands of hits on articles projecting the death of passwords as we know them in favor of biometric security measures. Finger, face, iris, palm, vein – the list goes on and on with each modalities champion predicting that they are the nearest term answer to high(est) security and simplest to use. The bottom line is that security, real security, in our online world is never going to be achieved by a single factor of authentication like a password or a biometric.
At a minimum, you need both a password and a biometric security measure. Two factor identification is becoming more and more important in an ever increasingly digital world. NIST recently published its updated draft of the Digital Identity Guidelines. Bottom line here is that if a system wants to securely use a biometric for authentication, it must have a second factor like a password or a PKI Certificate (something the end user knows or has). So as much as we all want to get rid of all those passwords in favor of a simple fingerprint or selfie smile, don’t do it no matter how convincing the argument sounds.