The End of Passwords?

Every year some pundit declares that the password will soon be dead.  I have been proclaiming for several years now that the password, by itself, is no longer a suitably strong form of security, and have been a champion for two-factor authentication.

Microsoft has recently stated that their Windows Hello facial recognition system is a suitable replacement for passwords.  Windows Hello was introduced with Windows 10.  In Redmond, Microsoft employees are using Windows Hello for Business in place of passwords.

Over in Cupertino, Apple has been touting its Face ID facial recognition product for the iPhone X.  Undoubtedly Apple will bring this to the Mac and other devices.  Are we really ready to move to facial recognition for authentication?

Facial recognition is one form of biometric authentication that includes finger and palm prints, facial recognition, voice recognition, iris and retinal scans, and esoterica such as typing cadence and mousing movements.

The National Institute for Standards and Technology (NIST) recently released new guidelines for authentication, and their take on facial recognition and in fact any form of biometrics to be inadequate by itself.  There are two problems.  First, biometrics are not secret.  You leave fingerprints everywhere, and some facial recognition systems have been fooled by pictures or 3-D printed masks.  The second problem is that they are not replaceable.  In the event your facial biometric data is breached, you can’t just go out and get a new face.

All forms of biometrics create a an encrypted data store that is used by the system to authenticate you the next time.  Microsoft requires that this encrypted data be store on a Trusted Platform Module chip for proper security.  But recently there have been demonstrated security vulnerabilities in the TPM chip that could allow your biometric data to be exposed and replayed by an attacker.

So for the meanwhile, I am going to stick with two-factor authentication, and a long password will still be one of those two factors.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.