The End of Passwords?

Every year some pundit declares that the password will soon be dead.  I have been proclaiming for several years now that the password, by itself, is no longer a suitably strong form of security, and have been a champion for two-factor authentication.

Microsoft has recently stated that their Windows Hello facial recognition system is a suitable replacement for passwords.  Windows Hello was introduced with Windows 10.  In Redmond, Microsoft employees are using Windows Hello for Business in place of passwords.

Over in Cupertino, Apple has been touting its Face ID facial recognition product for the iPhone X.  Undoubtedly Apple will bring this to the Mac and other devices.  Are we really ready to move to facial recognition for authentication?

Facial recognition is one form of biometric authentication that includes finger and palm prints, facial recognition, voice recognition, iris and retinal scans, and esoterica such as typing cadence and mousing movements.

The National Institute for Standards and Technology (NIST) recently released new guidelines for authentication, and their take on facial recognition and in fact any form of biometrics to be inadequate by itself.  There are two problems.  First, biometrics are not secret.  You leave fingerprints everywhere, and some facial recognition systems have been fooled by pictures or 3-D printed masks.  The second problem is that they are not replaceable.  In the event your facial biometric data is breached, you can’t just go out and get a new face.

All forms of biometrics create a an encrypted data store that is used by the system to authenticate you the next time.  Microsoft requires that this encrypted data be store on a Trusted Platform Module chip for proper security.  But recently there have been demonstrated security vulnerabilities in the TPM chip that could allow your biometric data to be exposed and replayed by an attacker.

So for the meanwhile, I am going to stick with two-factor authentication, and a long password will still be one of those two factors.

More information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.