Are Biometrics Usernames or Passwords?

The unveiling of the iPhone X and Face ID in 2017 didn’t just generate buzz among tech nerds–it also created a demand for biometrics among a mainstream consumer audience.

Face ID will change behavior. We know this because we’ve seen this story before. When Apple rolled out Touch ID in 2013, Kevin Roose wrote in New York Magazine that general consumers might resist a feature traditionally used by business people on Wall Street. But Touch ID grew to become a mainstay of Apple products.

Face ID faces harder user experience challenges. Namely, it’s far easier to subtly check your phone during a business meeting by unlocking it with your finger than it is to unlock it by holding  your phone in front of your face. Whether Face ID succeeds like Touch ID or fails like Google Glass, Apple’s willingness to boldly experiment will move the market forward.

That there is a market for biometrics is undeniable. The challenge I’m seeing isn’t whether consumers want biometrics, but whether companies implementing biometrics understand how they work in the context of their identity strategy.  

Biometrics as Identification vs. Authentication

A biometric is both a username and a password. Biometrics tend to cause a lot of confusion because they are used in different roles without people necessarily understanding what is happening in the background. I’ll share a few scenarios that illustrate when a biometric is a username and a password, address common (misinformed) arguments against a biometric as a password, and talk about how a biometric can be used simultaneously in both roles to minimize friction to the user.

A biometric is a username when the biometric is used for identification  — identifying the unique owner of the biometric. For example, when a crime has been committed, the police may collect fingerprints from the scene of the crime. If the fingerprint matches the police database, then the biometric identifies the person who committed the crime. Quite literally, the police have the criminal’s username – that is to say his legal name, date of birth, and address.

A biometric is a password when the biometric is used for authentication – verifying that the same user is signing into a website over and over again. For example, when you enroll in Apple’s Touch ID or with your face on the iPhone X, the biometric is only stored locally on the device. By design, Apple does not have access to the biometric enrolled on the device. As a result, when you use the biometric to unlock your iPhone, the phone is just checking to see if the same user who enrolled the biometric is unlocking the device again. Effectively, this means that a criminal could open up a bank account with a compromised identity, and then protect the stolen account with his own fingerprint or face because Apple and the bank do not have access to the biometrics he is using for password.

Liveness Tests Protect Biometrics from Fraud


A common argument against biometrics as a password goes like this: you can’t get a new face or a new fingerprint so once a biometric is compromised you can’t trust it.

This is a false argument. As noted above, biometrics enrolled on a trusted device function just fine as a password. Additionally, liveness tests and contextual recognition allow biometrics to function securely as passwords.

For example, if someone uses a mask of your face to try to claim that they are you, then a liveness test could prompt a series of flashing lights from your camera during sign-in to defeat this attack. By watching how the face reacts, the computer can tell whether the user is wearing a mask or reacting like a normal human being. If the user reacts normally, the face is verified; if the user does not react, the user is likely wearing a mask and the attempt is rejected. Now, having a strobe light go off in your face every time you login might be a bit jarring, but fortunately there is no need to perform this step each time. Once the biometric has been verified as legitimate, then the device is trusted and eliminates the need for this step the second, third, fourth, etc. time you log in.

All of our in-person interactions are biometric based for usernames and passwords – for identification and verification. Our brains are excellent at unconsciously administering liveness tests based on face, voice, body type, diction, shared private memories, and mood. Someone could likely create a perfect clone of you but it’s doubtful that clone could go to a family reunion as you and fool your family because of the context the clone lacks. Michael Keaton made a movie about that scenario.

Facebook announced they are considering facial verification as a way to recover compromised accounts. If your Facebook account is stolen, then you can use your face to help Facebook identify you as the rightful owner of the account. For initial rollout, Facebook will only allow users to perform this action from devices previously used to login to the account – effectively using the device as the password and the face for identification.

There is nothing to prevent Facebook from eventually rolling out facial recognition with liveness detection as an option for ongoing login – using the face for both identification and password. Potential barriers standing in Facebook’s way are user experience and whether their liveness technology is strong enough to prevent impersonation attacks to the point where they can be relatively as trusted as passwords. Those problems are clear and the identity industry will solve them.

The next time someone tells you that biometrics can’t be used as password, simply ask them how they know that their mom is actually their mom when they speak with her. That should settle things pretty quickly.