Biometrics vs Password

The most common user authentication methods are based on passwords, that is sequences of alphanumeric characters which must be typed through a keyboard or keypad; largely diffused in bank applications are also the PINs (Personal Identification Number). Unfortunately, password and PIN have been proved to be not an effective method, since:

  1. If the users choose their own password or PIN, they are very likely to choose something easy to guess such as the date of birth of their partner. By entering the names of the authorized user's partners, children and pets, the number of their house or home telephone and other obvious choices, tests have shown that one would have a ninety percent chance of gaining access to a system [E. Newham, The Biometric Report, SJB Services, London 1995].

  2. When a password is sufficiently complex (e.g. randomly generated by a computer), the problem of having to remember it is sometimes overcomed by writing it down. This, of course, defeats the point of having something which you, and only you, know. One out of three people writes down the PIN for their bank card, according to a UK poll. Another information source estimates that nearly one out of five people have been unable to withdraw money from an Automatic Teller Machine (ATM) at some time because they have been unable to remember their PIN. Finally, the most "skilled" users often write down the password in encrypted form (by using extra characters, permutations, or simple arithmetic changes), but unfortunately some time later they forget their decryption rule!

  3. A password may be stolen by an individual who observes the owner entering it into a system

  4. A password can be deliberately lent to a colleague or a friend to whom the password owner wants to grant a certain privilege

By encapsulating a Password or a PIN into a Magnetic stripe card or Smart Card the user is not required to remember anything but the system can only assume that a certain person accessed that point at a certain time. There is no absolute way of knowing whether it was the authorized card holder or whether it was someone who had fraudulently obtained the authorized user's card. In other words, smart cards or other tokens can overcome the problems arisen by points 1) and 2), but are ineffective with respect to 3) and 4).

Using biometrics for user authentication is the only way to solve all the above problems and to guarantee the presence of the owner at the place where a transaction is made. In fact, biometric characteristics are very difficult to counterfeit, and cannot be lent or forgotten.

Finally, let us consider the authentication errors: FAR and FRR. It is well known that each biometric system can sometimes make errors:

  • False acceptance: In the "secure" biometric systems (like most of the professional systems based on fingerprints) the probability of falsely accepting an impostor is so small that it can be neglected in most of the applications. In any case, neither a password based system is secure against false acceptance, due to the probability of guessing the right character sequence. Powerful software utilities are nowadays freely available on Internet to help hackers in discovering passwords (by using dictionary or other kind of attack) and breaking security systems

  • False rejection: assuming that a password based method cannot reject a user which correctly entered a password, it would seem that a password based authentication method cannot cause rejections. The reality is quite different and each computer user is well conscious that, due to typewriting errors, he/she is more or less frequently required to enter again his/her password. In fact, especially when we quickly type a password, to avoid other people spy our access sequence or when the password is long and complex (to maximize security), it is very easy to make a typewriting error. Although the cause of the rejection is substantially different from a biometric rejection, the practical results are the same. Some experimentation demonstrated that PIN entering errors are about 18%, that is an amount significantly greater than the FRR of the majority of biometric systems