Welcome to ISSA KC

The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. Through its membership, ISSA -Kansas City helps security professionals in the Kansas City area learn of information security issues and trends, which promote education, collaboration, and leadership, and further the information security profession.

Experts Weigh Pros, Cons of FaceID Authentication in iPhone X

Posted by VP ISSA Wednesday, November 15, 2017


Experts Weigh Pros, Cons of FaceID Authentication in iPhone X


Security pros discuss Apple's decision to swap fingerprint scanning for facial recognition technology in the latest iPhone.

Apple demonstrated FaceID, its new 3D facial recognition technology, on Sept. 12 as part of the iPhone X. FaceID will replace TouchID fingerprint scanning in the latest iPhone, which doesn't have a home button, to authenticate users so they can access apps and Apple Pay.

If you were apprehensive after the announcement, you're not alone. Apple isn't the first company to use facial recognition and others have been unsuccessful. Samsung's Face Unlock proved easy to hack when a user logged into one phone using a photo of himself on another; before that, Android's facial scanning tech could be similarly fooled.

Apple uses a different kind of technology, which it promises is more secure. The TrueDepth sensor on iPhone X has a dot projector, flood illuminator, and infrared camera in addition to the built-in camera. The phone creates a 3D map of a user's face and dimensions of their features. Data is locally stored in the iPhone's secure enclave.

"FaceID uses AI in addition to the static biometric recognition techniques," says Zighra CEO Deepak Dutt. "The algorithms bring an adaptive piece into the picture which continuously learns. FaceID typically would have a learning phase where the engine would build a 3D model of the user's face from a large number of data points."

Apple claims its FaceID authentication is 20x more accurate than TouchID. Only one in 1,000,000 people would have a face similar enough to a user's to successfully bypass FaceID -- the same failure rate as a six-digit passcode. In comparison, there is a one in 50,000 chance a random user could log into an iPhone with TouchID using a fingerprint.

So is FaceID really more secure than TouchID, or a passcode?

One concern about FaceID is in its current implementation, only one face can be used per device, says Pepijn Bruienne, senior R&D engineer at Duo Security. TouchID lets users register up to five fingerprints. If a third party obtains a user's fingerprint and reproduces it, and the user is aware, they could register a different unique fingerprint.

This is not the case with FaceID, he says, though an attacker would need a 100% reproducible bypass using an easily obtainable picture of a user's face. Once the system is broken and can be bypassed using a photo, a victim would have to fall back on using strong and unique passcodes. For some, the old six-digit key login is preferred.

"Given that a passcode can be made strong enough to make brute-force attacks useless, they will still have the preference for some security conscious users," says Bruienne. "When combined with good security hygiene, a strong unique passcode (which iOS allows) can be more secure but less convenient."

That said, passcodes also have their downsides. They cannot be forcibly divulged but can be snooped or coerced from users. An attacker with your passcode can get into your iPhone.

FaceID requires a user's attention and can detect whether someone is correctly holding the phone and looking at it to authenticate. This may lessen the chance of "sneak auths" in which someone holds up a phone and attempts to capture a user's face from a distance.

However, if someone has your body under their control, they can force your finger onto a sensor or force your eye open for an iris scanner. What happens if an attacker tries to use FaceID on a sleeping target, or law enforcement wants to get into a suspect's phone?

"It's one thing to compel someone to unlock a device with their finger," says Bruienne. "It's another thing to just point the camera at their face - [it] will be interesting to see how this is managed."

Upcoming Events

Aug 23rd - Chapter Meeting * Register

Sept 5th - SIG/WIS Meeting at Sprint

Oct 25 th - Chapter Meeting *Register

Nov 8th - Happy Hour *Register

Past events:

July 26th - Chapter meeting @ Hereford House

June 28th, 2018 - Chapter Meeting

May 24th, 2018 - Chapter Meeting

May 17th, 2018 - Happy Hour

Questions about upcoming meetings? email VP

Join the ISSA Kansas City Chapter

ISSA KC Mentorship Program Program Details

Mentor form/Application
Mentee form/Application


Join our mailing list to stay current on ISSA Kansas City!


For more information on how to join the Kansas City Chapter of ISSA click here. ** Join today! **


ISSA Member Login Page ISSA ** Login **


ISSA International’s Special Interest Groups (SIG) and Webinars:SIG On-Demand Conf

SIG groups are:

Security Awareness

Women in Security

Healthcare

Financial

Social Media

Chapter meetings are a great way to get to know your peers here in KC. And, if you're currently looking to make a career change, it's an invaluable way to build relationships that can provide you with the "inside information" on open security positions.










Do you have any membership questions? email link


Sponsors




Home





Image result for Synack

Image result for Forcepoint

Image result for Carbon Black

Image result for Zerto

Image result for Tenable

Related image


Image result for CyberArk

Image result for Critical Start

Image result for Securonix


Image result for OKTA


Image result for ProofPoint



Be a sponsor!!! Email us at president@kc.issa.org