| Passwords | Biometrics |
|---|---|
| Difficult to remember | Don’t have to remember  |
| Requires unique passwords for each system | Can be used on every system |
| Nothing else to carry around | Nothing else to carry around |
| Take time to type | Easy to swipe/sense |
| Prone to typing errors | Prone to sensor or algorithm errors |
| Immune to false positives |
Susceptible to false positives |
| Easy to enroll |
Some effort to enroll |
| Easy to change |
Impossible to change |
| Can be shared among users 1 |
Cannot be shared |
| Can be used without your knowledge | Less likely to be used without your knowledge |
| Cheap to implement |
Requires hardware sensors |
| Work anywhere including browsers & mobile |
Require separate implementation |
| Mature security practice |
Still evolving |
| Non-proprietary |
Proprietary |
| Susceptible to physical observation | Susceptible to public observation |
| Susceptible to brute force attacks | Resistant to brute force attacks |
| Can be stored as hashes by untrusted third party |
Third party must have access to raw data |
| Cannot personally identify you |
Could identify you in the real world |
| Allow for multiple accounts |
Cannot use to create multiple accounts |
| Can be forgotten; password dies with a person | Susceptible to injuries, aging, and death |
| Susceptible to replay attacks | Susceptible to replay attacks |
| Susceptible to weak implementations | Susceptible to weak implementations |
| Not universally accessible to everyone | Not universally accessible to everyone |
| Susceptible to poor user security practices | Not susceptible to poor practices |
| Lacks non-repudiation | Moderate non-repudiation |
1 Can be both a strength and a weakness