Why biometrics and blockchain technologies won’t kill passwords — at least not yet

Published on November 03, 2020

Poor password habits have led to serious breaches over the years. According to Verizon’s latest data breach investigation report, over 80 percent of data breaches are tied to compromised passwords. That said, by no means are we approaching the end of the password era; in fact, passwords are still superior to emerging blockchain technologies and biometrics.

Biometric solutions are far from a panacea
Passwords are either entirely right or entirely wrong. Conversely, biometrics solutions require a margin of error, which can be problematic. To give a slightly innocuous example, many people can open their relatives’ mobile phones through facial recognition applications. On a more sinister note, hackers from Tencent can access phones via fingerprint scanners in under twenty minutes. Likewise, for years, scholars have shown that it is possible to bypass fingerprint readers with 2.5D fingerprint spoofs. Put simply, biometrics are not immune to breaches, and most importantly, if biometric data is stolen, it cannot be replaced.

This isn’t mere conjecture, as we’ve already seen biometric breaches in the real world. Last year, web privacy company vpnMentor found that Suprema’s security platform, Biostar2, was comprised. According to vpnMentor, the breach exposed facial recognition and fingerprint records for over 1 million people. Suprema had saved exact copies of users’ fingerprints, potentially compromising these individuals’ biometric information forever.

For companies like Suprema that store users’ biometric data, it’s wise to utilize blockchain technology to protect this data. Blockchain technologies have also been viewed as a suitable replacement for passwords in and of themselves; however, we are still years away from this.

We’re years away from a blockchain replacement
For years, whitehat hackers have suggested that blockchain distributed ledger technology (DLT) could replace traditional passwords. Several start-ups, such as Remme, already provide the service. Through the DLT model, devices are issued an SSL certificate, which is stored in a blockchain ledger (in Remme’s case, it’s Hyperledger Sawtooth). When a user attempts to log into an account, the user’s identity is verified by this technology. There is no centralized server or password database, which theoretically means that bad actors are left without a central point to target.

In theory, this emerging technology sounds great; however, it does not come without a cost. As computer scientist Nina Polshakova has shown, storing even 100 passwords on the Bitcoin blockchain ledgers can be extremely expensive. Moreover, according to Gartner, blockchain technologies are entering the “trough of disillusionment” section of the Hype Cycle, and most enterprises are still approximately seven years away from employing such technologies in a way that is operationally scalable. Additionally, some enterprises are wary of blockchain enterprises, as many crypto service providers have been mired in scandal.

As a caveat, several rather promising companies have appeared on the scene. The Syndey-based non-profit Tide Foundation is pilot-testing a technology that involves “splintering,” which is essentially a more complex version of hashing. Through splintering, passwords are broken up into small pieces and stored via a decentralized blockchain; every password is “splintered” to at least 20 nodes on Tide’s public blockchain, making these passwords 14 million times more difficult for hackers to access.

Their splintering technology has proven to be quite resilient. Despite 6.5 million attempts last year, no hackers were able to conduct a successful dictionary attack on a dataset protected by Tide’s technology. The non-profit intends to keep this technology open-source and to release it later this year for commercial use. Although Tide’s new technology sounds promising, it remains to be seen whether it will be adopted by mainstream enterprises.

Although passwordless authentication options are gaining prominence, there’s a reason why we’re still using passwords 60 years after their inception: they’re effective. Unlike biometric data, passwords are either definitively right or definitively wrong. With passwords, there is no ambiguity. Most importantly, passwords can be easily replaced if they are compromised. Biometric data—irises, faces, or fingerprints—can never be replaced in the event of a breach. Lastly, despite the strong work put forth by companies such as Remme and the Tide Organization, it remains to be seen whether such emerging technologies will see mass adoption.

Leave a comment

Your email address will not be published. Required fields are marked *

two × two =


As the world moves away from manual, labor-intensive processes, companies are increasingly relying on artificial intelligence to streamline operations. From forecast engines and conversational assistants to anomaly detection and behavior analysis, AI capabilities have been progressing in leaps and bounds in the last few years.
Digital transformation can be a complex process requiring various stakeholders—leadership, partners, and employees—to be on the same page while ensuring the transformation enhances business value. However, despite its growing popularity, many businesses are still unsure what exactly digital transformation entails. Dive in for our take on everything DX.
As the world of cyberthreats becomes increasingly sophisticated, organizations need to develop a multi-pronged defense strategy that includes various layers of protection spread across networks, hardware, programs, and data. The people, processes, and technology in an organization need to come together in order to create an infallible security program.
A platform for industry experts and thought leaders to share their expertise on how technology is sharing various aspect of their industry.
As we move into an era of information explosion, mounting concerns regarding data privacy have given rise to groundbreaking regulations. Adhering to privacy regulations, such as the GDPR and the CCPA, not only ensures compliance, but can also help an organization develop solid data security policies and prevent breaches.