Every year some pundit declares that the password will soon be dead. I have been proclaiming for several years now that the password, by itself, is no longer a suitably strong form of security, and have been a champion for two-factor authentication.
Microsoft has recently stated that their Windows Hello facial recognition system is a suitable replacement for passwords. Windows Hello was introduced with Windows 10. In Redmond, Microsoft employees are using Windows Hello for Business in place of passwords.
Over in Cupertino, Apple has been touting its Face ID facial recognition product for the iPhone X. Undoubtedly Apple will bring this to the Mac and other devices. Are we really ready to move to facial recognition for authentication?
Facial recognition is one form of biometric authentication that includes finger and palm prints, facial recognition, voice recognition, iris and retinal scans, and esoterica such as typing cadence and mousing movements.
The National Institute for Standards and Technology (NIST) recently released new guidelines for authentication, and their take on facial recognition and in fact any form of biometrics to be inadequate by itself. There are two problems. First, biometrics are not secret. You leave fingerprints everywhere, and some facial recognition systems have been fooled by pictures or 3-D printed masks. The second problem is that they are not replaceable. In the event your facial biometric data is breached, you can’t just go out and get a new face.
All forms of biometrics create a an encrypted data store that is used by the system to authenticate you the next time. Microsoft requires that this encrypted data be store on a Trusted Platform Module chip for proper security. But recently there have been demonstrated security vulnerabilities in the TPM chip that could allow your biometric data to be exposed and replayed by an attacker.
So for the meanwhile, I am going to stick with two-factor authentication, and a long password will still be one of those two factors.