Experts Weigh Pros, Cons of FaceID Authentication in iPhone X

  /     /     /  
Publicated : 22/11/2024   Category : security


Experts Weigh Pros, Cons of FaceID Authentication in iPhone X


Security pros discuss Apples decision to swap fingerprint scanning for facial recognition technology in the latest iPhone.



Apple demonstrated FaceID, its new 3D facial recognition technology, on Sept. 12 as part of the iPhone X. FaceID will replace TouchID fingerprint scanning in the latest iPhone, which doesnt have a home button, to authenticate users so they can access apps and Apple Pay.
If you were apprehensive after the announcement, youre not alone. Apple isnt the first company to use facial recognition and others have been unsuccessful. Samsungs Face Unlock proved easy to hack when a user logged into one phone using a photo of himself on another; before that, Androids facial scanning tech could be similarly fooled.
Apple uses a different kind of technology, which it promises is more secure. The TrueDepth sensor on iPhone X has a dot projector, flood illuminator, and infrared camera in addition to the built-in camera. The phone creates a 3D map of a users face and dimensions of their features. Data is locally stored in the iPhones secure enclave.
FaceID uses AI in addition to the static biometric recognition techniques, says Zighra CEO Deepak Dutt. The algorithms bring an adaptive piece into the picture which continuously learns. FaceID typically would have a learning phase where the engine would build a 3D model of the users face from a large number of data points.
Apple claims its FaceID authentication is 20x more accurate than TouchID. Only one in 1,000,000 people would have a face similar enough to a users to successfully bypass FaceID -- the same failure rate as a six-digit passcode. In comparison, there is a one in 50,000 chance a random user could log into an iPhone with TouchID using a fingerprint.
So is FaceID really more secure than TouchID, or a passcode?
One concern about FaceID is in its current implementation, only one face can be used per device, says Pepijn Bruienne, senior R&D engineer at Duo Security. TouchID lets users register up to five fingerprints. If a third party obtains a users fingerprint and reproduces it, and the user is aware, they could register a different unique fingerprint.
This is not the case with FaceID, he says, though an attacker would need a 100% reproducible bypass using an easily obtainable picture of a users face. Once the system is broken and can be bypassed using a photo, a victim would have to fall back on using strong and unique passcodes. For some, the old six-digit key login is preferred.
Given that a passcode can be made strong enough to make brute-force attacks useless, they will still have the preference for some security conscious users, says Bruienne. When combined with good security hygiene, a strong unique passcode (which iOS allows) can be more secure but less convenient.
That said, passcodes also have their downsides. They cannot be forcibly divulged but can be snooped or coerced from users. An attacker with your passcode can get into your iPhone.
FaceID requires a users attention and can detect whether someone is correctly holding the phone and looking at it to authenticate. This may lessen the chance of sneak auths in which someone holds up a phone and attempts to capture a users face from a distance.
However, if someone has your body under their control, they can force your finger onto a sensor or force your eye open for an iris scanner. What happens if an attacker tries to use FaceID on a sleeping target, or law enforcement wants to get into a suspects phone?
Its one thing to compel someone to unlock a device with their finger, says Bruienne. Its another thing to just point the camera at their face - [it] will be interesting to see how this is managed.
There has been discussion around forcible authentication. The five-click feature, which is reportedly part of iOS 11, would logically apply to both TouchID and FaceID. If someone expects possible forced authentication, they could use this to set the phone back to passcode login. Right now, there isnt a specific expression or fingerprint that would disable biometric login.
We will not know of the quality of Apples FaceID facial scanning until the security community tests it, but the combination of an IR sensor and camera makes this system quite accurate and difficult to trick, says WatchGuard Technologies CTO Corey Nachreiner.
Nachreiner says while he strongly believes in biometric authentication, bad actors will continually find ways around different identity tokens, even biometric ones. The key, he says, is layering multiple forms of authentication in a way thats still convenient for users.
While ease and usability are always a factor -- if its too hard, people won’t use it -- relying on just a single token is asking for trouble, he explains.
Related Content:
10 Ways to Prevent Your Mobile Devices From Becoming Bots
Billions Of Bluetooth Devices Vulnerable To Code Execution, MITM Attacks
Ransomware, BEC, ICS Top Midyear Security Concerns
Deception: A Convincing New Approach to Cyber Defense
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity
agenda here
.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Experts Weigh Pros, Cons of FaceID Authentication in iPhone X