Biometrics – to identify, not authorise

Biometrics are your username, not your password.

This tweet by Koushik made a lot of sense on first reading. But I couldn’t place my finger on why I agreed with it. Until I read the paragraph below:

All ‘passwords’ should be replaceable. If your credit card gets stolen, you can block it and get a new card. If your Aadhaar number and fingerprint are leaked, you can’t change it, you can’t block it.

Pranesh Prakash in HT

That clinches it for me.

If my password gets stolen, I can reset it to something new, something stronger.

What do I do if my fingerprint is my password? Can’t get a new fingerprint.

Can’t get a new retina, or DNA either. And they’re all a fair bit easier to steal than a strong password.

Sure, use biometrics to identify if you want. But follow the identification with authentication (with a password, or more), before giving that identity any authority.