November 14, 2018
Large enterprises are adopting device biometrics such as iPhone Touch ID, Face ID, and their counterparts across the fragmented Android device ecosystem to enhance customer experience. Often, features such as these that remove friction are also talked about as improving usability and security, due to the many problems associated with passwords.
Passwords have not kept pace with the growth in online services, especially on mobile, so it’s natural that device biometrics have eclipsed the username/password scheme in terms of convenience. With an 81% of large-scale data breaches being the result of weak or stolen credentials, passwords being the dominant form, it would also seem clear that using biometrics to authenticate into accounts and authorize payments has answered the question of how we’ll reduce the number of mass breaches. If only this were true.
It’s important that we first arrive at a clear standard for what passwordless authentication is before we make an assumption about the security benefits of a user interface where a customer is no longer exposed to the hassles of password-based authentication. If we define passwordless as an end state in which there is no password, then most implementations of device biometrics score high ...