It's time to ditch passwords. Mobile-based biometrics offer a better way.

Passwords as an authentication mechanism have been declining in usefulness over time. The headlines are filled with increasingly sophisticated attempts at phishing passwords. And of course, some of those passwords aren't that difficult to guess anyway. 

As figure 12 from Verizon's 2019 Data Breach Investigations Report shows, more than 60% of data breaches can be traced back to a password compromise. Clearly, relying on passwords for security is a losing bet.

Given these weaknesses, it's about time we ditch passwords. We need password-free authentication mechanisms! 

I believe using mobile-based biometrics can offer a path to eliminate passwords while offering both increased security AND enhanced usability. Structuring solutions with care and thought can help preserve user's privacy as well.

Biometrics measure characteristics about you as an individual, such as your voice, face or fingerprint and then turn that into a unique model that can be used to identify you. Apple's Face ID for example uses facial characteristics to determine a person's identity. Microsoft's Windows Hello uses fingerprint or facial characteristics to let people log into Windows without a password. Millions of users are comfortable with using biometrics in their daily lives.

There are several issues with biometrics, but a well-designed system can mitigate or eliminate them. First, biometrics can be spoofed. Some biometrics such as fingerprints are easier to spoof than others such as face and voice. Second, the use of biometrics presents unique privacy concerns. They need to be stored carefully and their lifetime carefully controlled. Finally, there is always the possibility of false rejects, where a user doesn't match their own biometric.

With good product design using mobile-based biometrics, we can mitigate or eliminate these issues. A well-designed system would have the following features:
  • Use multiple biometric modalities (e.g. face and voice) for verification
  • Store biometrics securely on the phone
  • Use a given phone as a second factor of authentication

By combining the phone and collected biometrics, we have a powerful two-factor authentication system. An attacker would need to steal the phone as well as build a biometric spoofing system. Given how dependent users are on their mobile phones, they would quickly detect that their phone is missing should an attacker steal it. Compare this to passwords where users are usually unaware of their password being stolen. 

Next, by using multiple biometrics, the system can switch between biometric modalities to raise the difficulty for an attacker. For example, if the system collected face and voice biometrics, when the user wants access, it may randomly select one or both modalities to use. It can even adapt based on the risk profile of the authentication. Failure on one biometric may cause it to use the other. An attacker now not only has to steal the phone without detection, she also needs to build two distinct spoofing systems. Of course, there are simple techniques such as liveness to detect spoofing, as well as active research in academia on how to algorithmically detect spoofing, so we can have confidence that spoofing will become progressively more difficult. 

The use of multiple biometrics also deals with the false reject problem neatly. If a user fails authentication on one modality, they can usually succeed by trying again. If that fails, they can then try gaining access using the second modality. Since biometric systems are designed to have very low false reject rates, the probability of sequential false rejects across multiple modalities is infinitesimally small. 

Such a system can be made highly secure with this design, but what about user privacy? I think Apple presents a very viable model on how to treat user biometrics. It stores biometrics securely on the device, in the Secure Enclave. The mobile app using biometrics should only store the user's biometrics on the device, and under the highest security storage mode available. This way, biometrics can be protected from unauthorized access. In addition, they should be deleted when the mobile application is deleted. This gives users assurance that they are in full control of their data.

It is my belief that the promise of general-purpose password-free authentication systems, especially for enterprise authentication, will be fulfilled by mobile-based multi-biometric systems. Given the state of password authentication, their arrival will not be a moment too soon.