Our fingerprints, eyes and faces will replace passwords

Passwords are a pain in the ass. They're either easy to crack or hard to remember, and when breaches occur you have to come up with a whole new one. So people are trying to do away with passwords altogether, and so far, fingerprint scanners are doing the job nicely.

Still, fingerprints alone are not enough. Online security has become increasingly important, forcing service providers to come up with better measures such as two-factor authentication to defend user information. Companies are turning to other parts of our bodies to find biometric complements that are up to the task, and our faces and eyes are at the top of the list. Although facial and eye-based recognition appear gimmicky for now (the Galaxy Note 7's iris scanner, anyone?), they may soon become as prevalent and popular as fingerprint scanners. That pairing could eradicate passwords and clunky text-message two-factor verification altogether, making it a completely biometric process.

Before you brush the notion aside, think about the history of fingerprint scanners on smartphones. After Apple first put Touch ID on the iPhone 5s in 2013, people pointed out that it didn't work very well and that it wasn't secure. But Apple soldiered on, improving the hardware and implementing more useful features. Since then, many other tech giants have followed suit. Today, they're basically a given feature on flagship Samsung, Nexus (or Pixel), LG and HTC phones, and are even spreading to more affordable handsets such as the $99 ZMax Pro, the $200 Huawei Honor 5X, the $400 OnePlus 3 and the $400 ZTE Axon 7. We can expect to see them everywhere soon, said Sayeed Choudhury, Qualcomm's senior director of product management.

Despite the proliferation of fingerprint sensors, companies continue to chase convenience and novelty by introducing new biometric methods of logging in. We started seeing facial recognition as a method of identification when Google first revealed Face Unlock on Android 4.0 Ice Cream Sandwich. Years later, eye-print authentication started popping up on phones such as the ZTE Grand S3 and the Alcatel Idol 3. The latter two used a retinal scan to match the user by looking at the full eye and veins.

The good thing about this method, said Choudhury, was that it didn't require additional hardware -- you could just use the selfie camera. The challenge in retinal scanning is in its computation and algorithms, which Choudhury said is "very heavyweight" and "almost always uses the GPU in addition to the CPU." This means it takes longer to detect and recognize your prints. Indeed, in my experience reviewing the Eyeverify system on ZTE and Eye-D on the Alcatel Idol 3, snapping a pic of my eyes to unlock the phones was always excruciatingly slow.

In contrast, iris scanning, which was one of the highlights of the Galaxy Note 7 when it launched (and before all that exploding hoopla), uses more compact algorithms, said Choudhury. That means faster detection and a shorter wait time. Plus, iris scanning has been around for a long time. People have been using it to get into secure labs, buildings and even through airport security (Global Entry), so the technology is pretty mature. It's also more secure than fingerprints. According to Choudhury, "Iris-recognition technologies found in devices today identify three to five times more 'feature markers' to classify a specific iris versus what today's fingerprint technologies can do." The bad news with iris scanning, though, is it requires an infrared (IR) camera, which isn't on many phones. But Samsung isn't alone in looking to implement it -- other brands will likely follow suit.

One of the biggest forces pushing the move toward eye-based authentication is the payments industry, said Choudhury. "What we're seeing, driven by the mobile payments industry, is that both iris and retina biometrics are going to be incorporated in many more devices," he said. Mobile payments are a "killer-use case," according to him, and it certainly has a history of forcing even the most stubborn companies to adopt new technologies. The most obvious example of this would be Apple finally incorporating NFC into the iPhone 6 to enable its payment system, after years of resisting the tech that's proliferated in Android phones.

Payments giant Mastercard is one of the proponents of the biometric security bandwagon, which encompasses fingerprints, eyes and faces. "We want to remove passwords," said Ajay Bhalla, president of global enterprise risk and security at Mastercard. "Passwords are a big problem for people -- they keep forgetting it or they use passwords which are very simple and dumb," said Bhalla.

The company has been researching biometric-authentication methods using facial recognition, eye-based tech, fingerprints, heartbeats and voice, because these are unique to the user and don't require memorizing or guesswork. It found fingerprints and face detection to be the most easily scalable. "We feel it's reached a stage where it can become mainstream -- it's on devices, and consumers understand it," said Bhalla.

Mastercard recently launched its "selfie pay" authentication method in Europe via its Identity Check Mobile app. The feature lets you authorize transactions by taking a portrait of yourself and blinking to prove it's you and not a picture some wannabe hacker printed.

While it may sound cheesy to hold up your phone and pose for a picture each time you want to buy something, the company claims it is well-received. According to research from its 2015 trials, 90 percent of respondents found the Identity Check app more convenient than what they had been using. Seventy-one percent rated facial recognition as "highly convenient," while 93 percent rated fingerprint recognition the same.

The popularity, prevalence and convenience of fingerprint scanning means it is here to stay, and by no means are face- and eye-recognition meant to replace it. Both Choudhury and Bhalla see the newer method as a complement to fingerprints, providing a more convenient second-factor authentication as opposed to entering a text code sent to your phone. While the tech we have right now may not be fast or secure enough to be truly convenient and helpful, we're getting close. Using the adoption of fingerprint scanners as a model, Choudhury estimated that we are five years away from iris scanners and face detection becoming just as widespread. Until then, we'll have to deal with changing our crappy passwords every so often and hope we don't forget them.