Why do we even use passwords / passphrases next to biometrics?

Passwords and biometrics have distinct characteristics.

Passwords are secret data. Data is abstract: it flows quite freely across networks. Cryptography defines many algorithms which can use secret data to realize various security properties such as confidentiality and authentication. The shortcomings of passwords are due to the fact that they are meant to be memorized by human beings (otherwise we would just call them "keys") and this severely limits their entropy.

Biometrics are measures of the body (in a wide sense) of a human user. Being measures, they are a bit fuzzy: you cannot take a retinal scan and convert it into a sequence of bits, such that you would get the exact same sequence of bits every time. Also, biometrics are not necessarily confidential: e.g. you show your face to the wide World every time you step out of your home, and many face recognition systems can be fooled by holding a printed photo of the user's face.

Biometrics are good at linking the physical body of a user to the computer world, and may be used for authentication on the basis that altering the physical body is hard (although many surgeons make a living out of it). However, this makes sense only locally.

There is a good illustration in a James Bond movie (one with Pierce Brosnan; I don't remember which exactly): at some point, James is faced with a closed door with a fingerprint reader. James is also equipped with a nifty smartphone which includes a scanner; so he scans the reader, to get a copy of the fingerprint of the last person who used it, and then he just puts his phone screen in front of the reader; and lo! the door opens. This is a James Bond movie so it is not utterly realistic, but the main idea is right: a fingerprint reader is good only insofar as "something" makes sure that it really reads a genuine finger attached to its formal owner.

Good fingerprint readers verify the authenticity of the finger through various means, such as measuring temperature and blood pressure (to make sure that the finger is attached to a mammal who is also alive and not too stressed out); another option being to equip the reader with an armed guard, who checks the whole is-a-human thing (the guard may even double as an extra face recognition device). All of this is necessarily local: there must be an inherently immune to attacks system on the premises.

Now try to imagine how you could do fingerprint authentication remotely. The attacker has his own machine and the reader under his hand. The server must now believe that when it receives a pretty fingerprint scan, it really comes from a real reader, which has scanned the finger just now: the attacker could dispense with the reader altogether and just send a synthetic scan obtained from a fingerprint he collected on the target's dustbin the week before. To resist that, there must be a tamper-resistant reader, which also embeds a cryptographic key so that the reader can prove to the server that:

  • it is a real reader;
  • the scan it sent was performed at the current date;
  • whatever data will come along with the scan is bound to it (e.g. the whole communication is through TLS and the reader has verified the server certificate).

If you want to use the typing pattern, the problem is even more apparent: the measuring software must run on the attacker's machine and, as such, cannot be really trustworthy. It becomes a problem of defeating reverse engineering. It might deter some low-tech attackers, but it is hard to know how much security it would bring you. Security which cannot be quantified is almost as bad as no security at all (it can even be worse if it gives a false sense of security).

Local contexts where there is an available honest systems are thus the contexts where biometrics work well as authentication devices. But local contexts are also those where passwords are fine: if there is an honest verifying system, then that system can enforce strict delays; smartcards with PINs are of that kind: the card locks out after three wrong PINs in a row. This allows the safe use of passwords with low entropy (a 4-digit PIN has about 13 bits of entropy...).


Summary: biometrics can bring good user authentication only in situations where passwords already provide adequate security. So there is little economic incentive to deploy biometric devices, especially in a Web context, since this would require expensive devices (nothing purely software; it needs tamper-resistant hardware).

Biometrics are still good at other things, e.g. making the users aware of some heavy security going on. People who have to get their retina scanned to enter a building are more likely to be a bit less careless with, e.g., leaving open windows.


Abstracted across a network, most biometrics implementations can still be boiled down to the category of "something you know". For a discussion of how that happens with "something you have," take a look at How is "something you have" typically defined for "two-factor" authentication?.

Biometrics suffers from a problem where once a credential is compromised, you can't change it. There are also some rather amusing compromises against fingerprint systems. Biometrics are great in certain areas, but logging into my bank account with a generic device and no password is not one of them.

Finally, because there is no uniform standard, there's a cost issue that's hard to surmount. Not only are devices not already an integral part of the computer like a keyboard is, but they different models need different systems to interface with them.


There are significant problems with all of these as a primary identifier.

For example:

  • Fingerprints/Palm - What happens if I fall off my bike and scuff my hand across the ground? My fingerprints are ruined for some time - possibly permanently.
  • DNA - have you seen how easy it is to pick up blood or other material containing DNA?
  • Typing - this has some success, but the responses depend on tiredness, emotional state, differing keyboards etc

They are all susceptible to both false positives and negatives - you can get that crossover point down to a low level, but you can't eradicate it entirely.

When compromised, you cannot change the identifier - this problem rules it out entirely!

Another issue with some of the biometrics generally considered more resistant to attack (for example the retina pattern) is that users really dislike the invasive nature of the scan. While many end users now accept a fingerprint scanner (despite fingerprints being proven not to be unique) having a retina scanner is seen as intrusive and even scary.

So the current process - use ID, password, token etc as initial identifiers (all replaceable if needed - things you know or have ) and a biometric as an additional preventative measure do mitigate the risk of the previous mechanisms being stolen and used by an attacker (something you probably are) seems to be the optimum in terms of:

  • support
  • resilience
  • layered security