Passwords Are Outdated: Why 2019 Will See a Rapid Shift to Biometrics

As we celebrate the 50^th anniversary of the first internet transmission in 1969, Andrew Shikiar, Chief Marketing Officer of the FIDO Alliance, notes that concerns over online privacy and security are intensifying.

Authentication is no longer a peripheral issue; recent high‑profile breaches often stem from a single compromised username‑password pair. The problem is exacerbated by the widespread practice of storing such credentials in centralized databases that are attractive targets for increasingly sophisticated attackers.

Despite growing awareness of passwords’ fragility—more than 2.3 billion credentials were stolen last year—passwords remain the default for securing online access. Collectively, users spend an astonishing 1,300 years every day typing them.

Technological progress has outpaced authentication protocols, and recent incidents highlight that our protective infrastructure is lagging. Biometrics, along with other advanced methods, are now readily available and can significantly enhance both security and user experience.

Good news

There is good news: global leaders are converging on standards—such as those set by the FIDO Alliance—to replace weak password‑based authentication with robust, hardware‑based methods that incorporate biometrics.

In practice, a user can swipe a finger, speak a passphrase, look at a camera, or press a button on a hardware authenticator to log in, make a purchase, or access a service. The device‑based factor then unlocks a private cryptographic key that authenticates the user to the service.

Because biometrics and cryptographic keys reside on local devices and are never transmitted over the network, shared secrets are eliminated. Even if a service provider is compromised, user credentials remain secure, preventing large‑scale data breaches.

Throughout 2019, biometrics will continue to streamline online authentication. For example, EMVCo’s updated 3D Secure will be fully optimized for mobile, enabling the deployment of fingerprint, iris, and facial recognition technologies.

As more consumers adopt biometric authentication, the shortcomings of passwords will become increasingly evident. This shift creates an urgent need for industry‑wide standards and best practices, which will also inform emerging governmental regulation.

Robust authentication

With EU banks required to meet the Payment Services Directive’s Strong Customer Authentication (SCA) mandates by September 2019, investment in robust authentication—including biometrics—will accelerate.

Online platforms that adopt strong authentication protocols will help normalize SCA, moving it from a novelty to a standard practice. Leading web browsers, Windows 10, and Android already support standards‑based strong authentication, and we expect the adoption of these measures to expand to millions of new internet users this year.

While much remains to be achieved, the Internet’s 50^th birthday could mark the widespread adoption of modern, strong authentication, dramatically enhancing privacy, security, and user experience.

The author of this blog is Andrew Shikiar, chief marketing officer of the FIDO Alliance