Large enterprises are adopting device biometrics[1] such as iPhone Touch ID, Face ID, and their counterparts across the fragmented Android device ecosystem to enhance customer experience[2]. Often, features such as these that remove friction are also talked about as improving usability and security, due to the many problems associated with passwords.
Passwords have not kept pace with the growth in online services, especially on mobile, so it’s natural that device biometrics have eclipsed the username/password scheme in terms of convenience[3]. With an 81%[4] of large-scale data breaches being the result of weak or stolen credentials, passwords being the dominant form, it would also seem clear that using biometrics to authenticate into accounts and authorize payments has answered the question of how we’ll reduce the number of mass breaches. If only this were true.
It’s important that we first arrive at a clear standard for what passwordless authentication is before we make an assumption about the security benefits of a user interface where a customer is no longer exposed to the hassles of password-based authentication. If we define “passwordless” as an end state in which there is no password, then most implementations of device biometrics score high on usability but fail to answer the challenge of how the service provider will protect itself and the users from the risks of password-based authentication.
Most biometric authentication is added on top of legacy systems where the consumer and enterprise share a secret, a password, stored centrally on servers with all other consumers’ passwords. When a bank customer uses Touch ID, he/she uses their fingerprint to unlock the device or paste in a password
