The End of Passwords?

Every year some pundit declares that the password will soon be dead.  I have been proclaiming for several years now that the password, by itself, is no longer a suitably strong form of security, and have been a champion for two-factor authentication.

Microsoft has recently stated that their Windows Hello facial recognition system is a suitable replacement for passwords.  Windows Hello was introduced with Windows 10.  In Redmond, Microsoft employees are using Windows Hello for Business in place of passwords.

Over in Cupertino, Apple has been touting its Face ID facial recognition product for the iPhone X.  Undoubtedly Apple will bring this to the Mac and other devices.  Are we really ready to move to facial recognition for authentication?

Facial recognition is one form of biometric authentication that includes finger and palm prints, facial recognition, voice recognition, iris and retinal scans, and esoterica such as typing cadence and mousing movements.

The National Institute for Standards and Technology (NIST) recently released new guidelines for authentication, and their take on facial recognition and in fact any form of biometrics to be inadequate by itself.  There are two problems.  First, biometrics are not secret.  You leave fingerprints everywhere, and some facial recognition systems have been fooled by pictures or 3-D printed masks.  The second problem is that they are not replaceable.  In the event your facial biometric data is breached, you can’t just go out and get a new face.

All forms of biometrics create a an encrypted data store that is used by the system to authenticate you the next time.  Microsoft requires that this encrypted data be store on a Trusted Platform Module chip for proper security.  But recently there have been demonstrated security vulnerabilities in the TPM chip that could allow your biometric data to be exposed and replayed by an attacker.

So for the meanwhile, I am going to stick with two-factor authentication, and a long password will still be one of those two factors.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.