Password authentication depends on user input. To make it safe, one of the requirement is that you need to do it safely and quickly enough and hope that nobody could catch what you type on the keyboard.
Nowadays, we can’t hope such.
With naked eyes, we can simply read gestures, types, presses most of people do when they unlock their phone. With cameras, you can replay – in slow motion.
This is not new at all. Though, nowadays, cameras are everywhere, videos are publicly available, big data, machine learning, if you put them together, you can extract a person’s password from such sources.
Many IT vendors already knew this for years. That’s why they started pushing biometrics like fingerprint scans, face recognition in their products, and encourage their users to use it – at least, as one factor of their authentication methods.
IMHO, the password authentication should completely be eliminated. We should not even use it as a factor in authentication ecosystem – it must die.
Let me hope it will – soon.
BTW, researches on replacing password authentication are very welcome. :)