Two-Factor authentication solutions are based on the premise that the combined verification of (i) a thing possessed (a card) and (ii) a piece of information known to the user (a pin or password) provides a high degree of assurance to authenticate users. For financial and enterprise transactions it gives a high level of security. But 2FA is not a seamless solution – as the number and variety of services and devices for a user increases – it requires the user to carry a number of cards/tokens/devices and remember several passwords (that are unique, complex, updated). It is also not a foolproof solution as the identity theft continues to be a problem.
With the large number of IOT applications and devices appearing, the problem will become worse. Consider a health monitoring device that needs to periodically share information of a patient with her family members and doctor, while keeping the information safe from cloud attacks. Or consider keyless entry to vehicles or homes. For such common use cases entering complex passwords would be cumbersome.
With biometric authentication methods, as present with fingerprint based authentication on Apple and Samsung phones, there is a more direct identification of the user. But the way this is commonly used is not to eliminate passwords completely – it is typically used to
- store existing passwords securely,
- reduce repeated password entry by extending session created by an existing password
- combined with a user identifier such as a phone number or email address
- combined with a password (e.g. for byod deployments where multiple users can register fingerprints)
One can imagine a two factor auth where both factors are biometric, such as multiple fingerprints, or fingerprint and iris authentication. Such a two factor biometric approach could eliminate the need to remember passwords and reduce friction in accessing services securely. An example is the combination of facial recognition and fingerprint recognition.
Biometric authentication methods being worked on include gait recognition and voice biometrics. These can be included in a continuous authentication method.