Experts Weigh Pros, Cons of FaceID Authentication in iPhone X
Author: Kelly Sheridan, with DarK Reading, https://www.darkreading.com/endpoint/experts-weigh-pros-cons-of-faceid-authentication-in-iphone-x/d/d-id/1329874?piddl_msgorder=thrd
Security
pros discuss Apple's decision to swap fingerprint scanning for facial
recognition technology in the latest iPhone.
Apple
demonstrated FaceID, its new 3D facial recognition technology, on Sept. 12 as
part of the iPhone X. FaceID will replace TouchID fingerprint scanning in the
latest iPhone, which doesn't have a home button, to authenticate users so they
can access apps and Apple Pay.
If you
were apprehensive after the announcement, you're not alone. Apple isn't the
first company to use facial recognition and others have been unsuccessful.
Samsung's Face Unlock proved easy to hack when a user logged into one phone
using a photo of himself on another; before that, Android's facial scanning
tech could be similarly fooled.
Apple
uses a different kind of technology, which it promises is more secure. The
TrueDepth sensor on iPhone X has a dot projector, flood illuminator, and
infrared camera in addition to the built-in camera. The phone creates a 3D map
of a user's face and dimensions of their features. Data is locally stored in
the iPhone's secure enclave.
"FaceID
uses AI in addition to the static biometric recognition techniques," says
Zighra CEO Deepak Dutt. "The algorithms bring an adaptive piece into the
picture which continuously learns. FaceID typically would have a learning phase
where the engine would build a 3D model of the user's face from a large number
of data points."
Apple
claims its FaceID authentication is 20x more accurate than TouchID. Only one in
1,000,000 people would have a face similar enough to a user's to successfully
bypass FaceID -- the same failure rate as a six-digit passcode. In comparison,
there is a one in 50,000 chance a random user could log into an iPhone with
TouchID using a fingerprint.
So is
FaceID really more secure than TouchID, or a passcode?
One
concern about FaceID is in its current implementation, only one face can be
used per device, says Pepijn Bruienne, senior R&D engineer at Duo Security.
TouchID lets users register up to five fingerprints. If a third party obtains a
user's fingerprint and reproduces it, and the user is aware, they could
register a different unique fingerprint.
This
is not the case with FaceID, he says, though an attacker would need a 100%
reproducible bypass using an easily obtainable picture of a user's face. Once
the system is broken and can be bypassed using a photo, a victim would have to
fall back on using strong and unique passcodes. For some, the old six-digit key
login is preferred.
"Given
that a passcode can be made strong enough to make brute-force attacks useless,
they will still have the preference for some security conscious users,"
says Bruienne. "When combined with good security hygiene, a strong unique
passcode (which iOS allows) can be more secure but less convenient."
That
said, passcodes also have their downsides. They cannot be forcibly divulged but
can be snooped or coerced from users. An attacker with your passcode can get
into your iPhone.
FaceID
requires a user's attention and can detect whether someone is correctly holding
the phone and looking at it to authenticate. This may lessen the chance of
"sneak auths" in which someone holds up a phone and attempts to
capture a user's face from a distance.
However,
if someone has your body under their control, they can force your finger onto a
sensor or force your eye open for an iris scanner. What happens if an attacker
tries to use FaceID on a sleeping target, or law enforcement wants to get into
a suspect's phone?
"It's
one thing to compel someone to unlock a device with their finger," says
Bruienne. "It's another thing to just point the camera at their face -
[it] will be interesting to see how this is managed."
