People in the cybersecurity business keep saying that a password is dreadfully insecure, that someone can look over your shoulder and steal it, or they can listen to your communication with the bank, and steal it from that. There can be malware on your device, which reads what you type, and sends it a cybercriminal in another country. Even strong encryption is no use, since criminals now use GPU's to decrypt millions of credentials in just a few milliseconds.

But passwords are so convenient. Why would you want your iris scanned in the checkout queue at Target, or wait for an SMS message, telling you to enter yet another password? Most importantly, if you lose or forget your password, it can be reset, unlike any biometric parameter.

It would be most convenient, if you could enter your password in the usual way, but anyone watching would be unable to use what they saw, and anything listening to the (unencrypted) transmission would pick up useless garbage. Even better, if any malware on your device would also be unable to use anything it discovered.

This paper sheds light on this problem.

https://www.researchgate.net/project/IDaaS-with-secure-data-at-rest/update/5a94e4f1b53d2f0bba5491cf

.