The End of Passwords?

Every year some pundit declares that the password will soon be dead.  I have been proclaiming for several years now that the password, by itself, is no longer a suitably strong form of security, and have been a champion for two-factor authentication.

Microsoft has recently stated that their Windows Hello facial recognition system is a suitable replacement for passwords.  Windows Hello was introduced with Windows 10.  In Redmond, Microsoft employees are using Windows Hello for Business in place of passwords.

Over in Cupertino, Apple has been touting its Face ID facial recognition product for the iPhone X.  Undoubtedly Apple will bring this to the Mac and other devices.  Are we really ready to move to facial recognition for authentication?

Facial recognition is one form of biometric authentication that includes finger and palm prints, facial recognition, voice recognition, iris and retinal scans, and esoterica such as typing cadence and mousing movements.

The National Institute for Standards and Technology (NIST) recently released new guidelines for authentication, and their take on facial recognition and in fact any form of biometrics to be inadequate by itself.  There are two problems.  First, biometrics are not secret.  You leave fingerprints everywhere, and some facial recognition systems have been fooled by pictures or 3-D printed masks.  The second problem is that they are not replaceable.  In the event your facial biometric data is breached, you can’t just go out and get a new face.

All forms of biometrics create a an encrypted data store that is used by the system to authenticate you the next time.  Microsoft requires that this encrypted data be store on a Trusted Platform Module chip for proper security.  But recently there have been demonstrated security vulnerabilities in the TPM chip that could allow your biometric data to be exposed and replayed by an attacker.

So for the meanwhile, I am going to stick with two-factor authentication, and a long password will still be one of those two factors.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.