Slashdot Asks: Should Businesses Switch To Biometric Passwords?

This question was inspired by a recent article in Harvard Business Review: It's become abundantly clear that passwords are an untenable way to secure our data online. And asking your customers to keep track of complicated log-in information is a terrible user experience... The threat to security when relying on passwords is one reason businesses are increasingly migrating to biometric systems. Identity verification through biometrics can ensure greater security for personal information, while also providing customers with a more seamless experience in the digital environment of smartphones, tablets, sensors, and other devices... the idea is to verify someone's identity with a high degree of assurance by tying it to multiple mechanisms at once, known as biometric modalities [which] when used in concert, can provide a significantly safer environment for the customer, and are much easier to use... [I]f an app simultaneously requires a thumbprint, a retina scan, and a vocal recognition signature, it would be close to impossible for a bad actor to replicate that in the seconds needed to open the app.
This got me curious -- are Slashdot's readers already seeing biometric verification systems in their own lives? Share your experiences in the comments, as well as your informed opinion. Do you think businesses should be switching to biometric passwords?

Won't work seamlessly for everyone

[AxeTheMax]

As usual, this will bring a collection of new problems for some. Will work fine for some people but others will struggle. Fingerprints will not be much use for me; my prints were clear when I was younger, but they have faded. To the extent that at a border control earlier this year where fingerprint capture was mandatory, the immigration clerk had difficulty with my left hand and found it impossible with my right. He wrote a brief report which said that he could just see the patterns but could not capture them. I might have been lucky not to be refused admission, but it seems this situation was not new to them.

Identification, not authentication

[Aethedor]

Let's take a look at the characteristics of a username:

• - They are not secret. Often, they consist of a person's name, email address or employee number.
• - Often, one and the same username is used for many systems.
• - Changing a username is unusual or even impossible.

And let's take a look at the characteristics of a password:

• - They should be kept secret.
• - You are strongly advised to use a different password for every system.
• - Every system must allow you to change your password.

Now, let's take a look at what a fingerprint or other biometric property is:

• - They are not secret. You leave your fingerprints everywhere and it's very well possible to have your iris scan taken by other people [1].
• - Because of the limited amount of biometric properties (ten fingers and two eyes), you will likely be using one biometric property for multiple systems.
• - You can't change a biometric property on demand.

Conclusion: biometric properies are more like usernames, not like passwords. So, use them for identification, not authentication. Any biometric system supplier telling you otherwise is just telling marketing nonsense.

[1]: http://www.tomsguide.com/us/ph...

Re: I'm not sure I like the idea...

[tysonedwards]

That's why people should adopt the philosophies of "biometrics = who you are (username)", leaving "passwords = something you know", and allowing for "tokenization = something you have". If usernames and passwords are decoupled to the point where biometric authentication serves as a realtime handshake of the resulting hash by the destination server, even to the point where they are stored in different tables with the functional equivalent of public key vs private key components, than the compromise of a single system would effectively result in a rainbow table only that needs to be iterated for all users on the system.