How secure is Apple’s Face ID, really?
In its latest product event, Apple confidently moved to convince consumers that face recognition is the most convenient way to secure your phone and the sensitive information you store in it. Face ID, the company’s face recognition technology, which will be replacing its fingerprint scanner in the new iPhone X, requires you to only show your face to your phone in order to unlock it, to confirm ApplePay payments, in iTunes and App Store.
According to Phil Schiller, senior vice president of marketing at Apple, “With the iPhone X, your iPhone is locked until you look at it and it recognizes you. Nothing has ever been more simple, natural, and effortless. This is the future of how we’ll unlock our smartphones and protect our sensitive information.”
[AdSense-A]
To be sure, showing your face to your phone is easier than typing a passcode or pressing your finger against a scanner. It saves you a few seconds, you obviously can’t forget it, and it won’t be affected by moisture and oil.
But is it more secure?
Here are the key things you should consider about facial recognition before you enroll in the latest fad that is overcoming the iPhone and other major smartphones.
Can Face ID be spoofed?
Face recognition authentication has existed for several years, but it has become notoriously renowned for its security flaws. Researchers and cybercriminals have been able to easily circumvent face locks on various devices by using hi-res pictures and videos of the owners. And as opposed to passwords, your face is not a secret. It’s available to anyone who Googles your name or gets close enough to snap a picture of you. Even Samsung’s S8 face lock was proven to be fooled by a photo.
However, Face ID has incorporated a technology to make it exponentially harder to bypass the lock. During setup, Face ID projects 30 thousand infrared dots to create a 3D depth map of its owner’s face. It subsequently uses that map during authentication to make sure that it’s a real face standing before the camera and the physical features correspond to those of the owner.
READ MORE:
- 19 iPhone apps no one should live without
- Is the Apple Upgrade Program really worth it?
- Can police unlock your iPhone X using Face ID?
Getting around depth maps will be much more difficult than using flat images. Apple says not even professionally made masks will work. Some experts believe it’s not impossible to fool, however, and it’s only a matter of time and “enough external data” before the technology can be sidestepped. And per Apple, if you have an identical twin, Face ID may be fooled to mistake them for you.
Further, depth sensors like the ones used in the iPhone X do have their own technical challenges. They might fail under distinct conditions such as intense light or when you’re wearing a hat or scarf. Apple says that it works under various conditions, but we’ll have to certify when the device actually ships.
Can Face ID be forcibly activated?
This is a question that regards all biometric authentication mechanisms, including fingerprint scanners. If you’re captured by criminals or taken into the custody of law enforcement, can they unlock your phone by holding it up to your face?
Unfortunately, they can. The technology doesn’t work if you’re not staring at it or if you close your eyes but is not yet smart enough to understand the difference between a real unlock attempt and a forced one (maybe someday it will). In the case of police, at least, they would legally be required to obtain a warrant before forcing you to unlock the device, according to legal experts.
Apparently, Apple recognizes this as a possible flaw in its technology. In iOS 11, users have to enter the iPhone’s passcode when connecting it to a new computer. This will make it harder to siphon data from a phone unlocked forcibly. Apple has also made it possible to disable Face ID and Touch ID, its fingerprint-scanning technology, by pressing the Home or Power button (depending on the device model) five times in rapid succession.
Where does Apple store your face data?
Your mug is not the most private part of your body. Governments have huge databases of citizens pictures, the internet may be flooded with pictures of you and your friends if you’ve been on social media in the past years, and facial recognition is already a serious privacy concern.
Nonetheless, you should be concerned about where your data is stored and how secure it is, especially the depth map of your face, which is still somewhat private. Most facial recognition software relies on machine learning algorithms, programs that work with huge data sets that are stored on cloud servers. Companies running these types of software need to collect more and more data samples to improve their performance. They might also mine the data for other commercial purposes or share it with third parties.
For the moment, Apple has made it clear that no face data will be leaving your phone, the same approach it has used on Touch ID. Everything will be computed on the device thanks to its powerhouse A11 processor, and sensitive data will be stored on the Secure Enclave, the most secure component of the iPhone.
How much data does Face ID collect?
This is perhaps the creepiest side of Face ID. The technology has no manual trigger on iPhone X. You only need to hold it in front of your face to activate it, which means it’s always watching, waiting for your face to show up. How much data it stores is an open question.
But we’ve seen similar functionality cause privacy controversies in the Echo, Amazon’s smart home system. And unlike the Echo, your iPhone doesn’t remain in your home. You take it with you wherever you go.
Moreover, there’s the question of what Apple will do with the technology once it has access to millions of people’s faces. The company didn’t have much incentive to collect fingerprint data. But face and gaze information is a totally different matter and can be used for things such as tracking attention and reaction to ads. We’ll have to see if Apple will resist the urge to make use of the technology in other potentially profitable endeavors.
For most users, Face ID will provide a secure and reliable way to protect your iPhone, with decent workaround against most of its flaws. Apple says it has 1/1,000,000 chance of getting unlocked by someone other than you, as opposed to TouchID, which stood at 1/50,000.
However, if you prefer privacy over convenience (as I do), remembering and typing a passcode is a small price to pay for higher security.
Ben Dickson is a software engineer and the founder of TechTalks. Follow his tweets at @bendee983 and his updates on Facebook.
Read more: https://www.dailydot.com/layer8/iphone-x-face-id/