Token authentication vs. biometric authentication systems

In this expert response, Ken Munro discusses the pros and cons of using both biometric authentication systems and token-based systems.

How mature are biometric authentication systems, and do they really work? Would there be any point in swapping our existing token-based system for a biometric approach? And what type would you suggest?

Biometric systems have been around for a significant period of time, and they have successfully made the leap from science fiction and movies to the real world. Early issues such as revocation and replay have largely been resolved, though compromise of the biometric storage system still remains an issue. Consider what happens if your biometrics are compromised where they're stored. What do you do if your fingerprints or retina scans are pinched? You can't very well go and get a new set!

That said, it's hard to forget your fingers on the way to work, unlike swipe cards, tokens and passwords. The problem with biometric authentication is that some over-zealous vendors are promoting them as a substitute for conventional authentication processes. They're not! Biometric systems make an excellent addition to security, and could be considered a substitute for token-based authentication, but they will never be a substitute for a username/password/PIN.

If you have currently made the investment in tokens and can manage the overhead that they create in terms of loss, replacement and staff education, then stick with them. Biometrics won't have a significantly lower support overhead, and it could be a great deal higher as users get the hang of exactly how to authenticate with them. The value from a token system is either wrong or right, not mostly right or mostly wrong, as would be a fingerprint match. Hence the learning and 'tuning' process for new users and your support team can be significant.


If you haven't implemented a second factor of authentication, then review both biometrics and tokens. Either would significantly complement your current security setup.

Read more on Identity and access management products