Articles & E-Books


Biometric Authentication-Will We Ever Get Rid of the Password

Mar 01, 2016

One of the biggest challenges for financial institutions today is protecting access to customer information. How can you be sure the person logging into a customer’s Internet banking application is who they claim to be? Since the inception of authentication, we have almost exclusively relied on passwords for authentication. But the FFIEC’s Authentication in an Internet Banking Environment states that passwords, at least alone, are not good enough. The guidance introduces requirements for dual or multifactor authentication. While proving an added layer of security, the extra factors tend to be some other question or the use of a token. This becomes cumbersome for the user, struggling to remember yet another password and then maintaining possession of a token or having to either look up or log into yet another location (with another password) to obtain the answer to some out-of-wallet question. Now, thanks to some technology improvements and perhaps the necessity of a more convenient process, biometric authentication is beginning to see more widespread use.

But will the traditional password as we know it truly die? Its death has been predicted before. And according to a survey presented by SecureAuth on December 15, 2015, 91% of surveyed IT professionals agree that traditional passwords will vanish within a decade. The increased acceptance of biometrics (97% of those surveyed professionals believe biometric authentication is reliable) and frustration over the burden of multiple passwords may help this prediction come to fruition. The inconvenience of using passwords leads to poor password construction, which can lead to passwords that are easily guessed by others, leading to loss. No one likes making periodic changes to passwords (and having to remember the new one!) or having to perform the “call of shame” if they forget their password.

Two distinct advantages of using biometric authentication are not having to remember and periodically change passwords and the relative ease of use. Employees as well as the public practically beg for something to make authentication simpler. With biometrics, you no longer have to rely on what you know but rather what you are (i.e., physical attributes such as facial recognition, fingerprints, iris scans) or what you do (i.e., behavioral data such as typing and handwriting analysis or the way you walk). They are unique to you, difficult to duplicate, and easy to use.

There are many types of biometrics in use and being developed. Some of the more promising ones are fingerprint/pattern scanning, facial recognition, and voice recognition biometrics.

Fingerprint authentication takes a digital impression of the ridges on all or part of your finger. Most systems today create a pattern from this impression so the fingerprint itself is not saved. It is extremely difficult to recreate the fingerprint from the pattern, which helps to ease the fear of loss or misuse. Fingerprint scanning is the most commonly used form of biometric authentication. User enrollment into the system is typically quick, and the technology is inexpensive. Apple introduced the Touch ID for the iPhone in 2013 with great success. However, injury to an enrolled finger will interfere with the ability to accurately scan prints. On some systems, fingerprints have been lifted from the reader, replicated, and successfully used to log in. More precise scanners that actually check for blood flow to the finger can be used to combat this spoof but at a higher cost. And like most forms of biometric authentication, there is still the lingering uneasiness of the intrusive nature of the method, even though actual prints are not saved.

Facial recognition is gaining acceptance as an authentication method. One of the reasons for this is the popularity of people taking pictures of themselves (selfies), which provides a level of comfort for the technology. Microsoft, Intel, and others are working on new advances in the use of infrared cameras, which have helped strengthen this form of authentication by taking a 3D image of the face, protecting against using someone’s picture to circumvent authentication. This is also a relatively speedy form of authentication. It is also contactless; therefore, a cut or scratch should not throw off the process like it can for fingerprint scanning. However, changes in appearance, such as growing a beard, significant weight changes, and use of hats and sunglasses, can cause rejections, prolonging or preventing authentication of legitimate users.

Voice recognition is another authentication method in its infancy in the banking sector. Enrollment into voice recognition involves repeating a phrase multiple times so the system can learn the person’s voice intonations. Once completed, the user just speaks the phrase whenever they need to be authenticated. If there is a match, access is granted. The system is reliable, easy to use, and is difficult to forge. However, the technology is still more expensive than many others, plus it uses a lot of storage to save recorded phrases used to match with submitted data. The system can also run into difficulties if there is excessive background noise.

There are drawbacks to the use of biometric authentication in addition to those relating to specific devices. Although not usually prohibitive, authentication will take more time with some technologies such as facial or voice recognition. This could lead users to lose patience with the system. Another difficulty is that you cannot “reset” your own biometrics like you can a password should it be compromised. Therefore, the security of the biometric information held for authentication is paramount. Pictures of fingerprints, people, and voice recordings can be used to attempt to circumvent security (though, as noted previously, advances in technology have helped to combat this). There is also the possibility of false rejections (denying a legitimate user) and worse yet, false acceptance (allowing an unauthorized authentication). Configuration of the specific authentication method should be fine-tuned to ensure no unauthorized users are allowed access.

Convenience and the increase in cyber threats seem to be factors in driving the technology. According to the U.K. website, Atom Bank, opening in 2016, will use face and voice recognition for customer logins. Wells Fargo & Company is also testing voice and iris recognition for customer authentication with a mobile application. Many others are planning for, testing, or piloting biometric technology. So will biometric technology win out and kill the password? Ultimately, the customer will decide


Joel R. Lego
Senior Manager
View Profile
WipfliSecurity Blog

WipfliSecurity brings you timely information that affects your organization’s security. Connect with Wipfli’s security experts and get up-to-date guidance on the latest threats and fixes. We’ll discuss new ideas for improving your organization’s security and tips to help you navigate your way through compliance and more.