Endpoint

9/19/2017
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How Apple's New Facial Recognition Technology Will Change Enterprise Security

Expect a trickle-down effect, as tech similar to Face ID becomes offered outside of Apple.

Apple's new Face ID technology promises a security revolution for iPhone users — and it also promises to change all of enterprise security, eventually. While Face ID's primary audience consists of consumers who buy iPhones, Apple has created a new paradigm for security with a safer, faster authentication system. Similar technology eventually will filter down to devices of all kinds and enable organizations to provide their employees and customers with more secure experiences, protecting their data and keeping cybercrooks at bay.

Face ID, introduced by Apple at its product launch on September 12, is a major advance in biometric authentication, both over Touch ID (fingerprint) authentication that Apple devices have used until now and over other facial recognition systems. Apple says Face ID is so accurate that the chance of another random person's face being used to unlock your phone is 1 in 1,000,000 — much better than the 1 in 50,000 unlock error rate for Touch ID. Face ID bests other facial recognition systems as well; it's the first consumer-oriented 3-D facial recognition system, beating out systems in devices such as Samsung's Galaxy S8 and Note8, which are 2-D recognition systems.

The authentication provided by Face ID certainly will prove sufficient for use by organizations as an authentication method to "prove" that a device belongs to the user. Today, however, many organizations — often because of regulations, such as for apps that can access customer account information, or at least as part of best practices — require two-factor authentication. For most organizations, that means requiring users to input a password (something users know) in order to activate an app or log in to a website from a mobile device, coupled with a second authentication factor, such as a biometric marker like a fingerprint (something users are), or a text message sent to a user's device, which consists of a code that the user must enter into a site or an app (something users have) in order to access it. 

The fact that Face ID is superior to passwords as an authentication method should come as no surprise. The vast majority of major data breaches in recent years (think Sony, Target, major banks, etc.) were due to compromising of login data and password theft. According to a study by Verizon, more than four out of five data breaches are due to stolen passwords or misused credentials; it certainly wouldn't make sense to have such a weak authentication method to access sensitive data when such a strong authentication method is used to secure the device itself!

That's why, I believe, Face ID will be the catalyst that sets off a real revolution in data authentication. If Apple can implement such a strong authentication method for its devices, organizations will be searching for something at least as strong to authenticate their data on all devices out there that don't use Face ID. 

The fastest-growing solution for user authentication in enterprises is phone authentication, in which a mobile device — instead of a hardware token or a password — is used as an authenticator. Organizations that have sought higher levels of security have already ditched passwords, turning instead to authentication systems based on devices, which are considered more secure than passwords and, for an increasing number of organizations, their primary authentication method in a two-factor authentication scheme. 

Seeking better security, more organizations will increasingly dump passwords for device authentication, a system that can be used on any mobile device; the greater security provided by Face ID will, I believe, inspire many organizations to reconsider how they approach authentication, and opt for something more secure, even on devices other than the newest iPhones. 

Fingerprints have often been used as a second factor in a two-factor scheme, but now that second factor has gotten a major upgrade, two-factor authentication based on devices and used with Apple devices that support Face ID will present a formidable challenge — enough to discourage hackers from even trying to breach an Apple device. While Face ID currently is strictly limited to some Apple devices, it's just a matter of time until 3-D face recognition as an authentication method trickles down to the rest of the industry, as the industry follows in the path of market leader and innovator Apple. 

Combining proven device authentication systems with Face ID truly is a game changer — a revolution, even — and companies seeking to improve their security systems are going to be very attracted to this winning combination. Long live that revolution, I say. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Shimrit Tzur-David is the chief technology officer and co-founder of Secret Double Octopus, the world's only keyless multi-shield authentication technology that protects identity and data across cloud, mobile and IoT environments. Shimrit has over 10 years of research ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dsichel
50%
50%
dsichel,
User Rank: Apprentice
10/21/2017 | 2:39:56 PM
Whoops
So I have one huge problem with this technology that I think is underestimated. I use my face, my fingerprint,  pick your biometric.  How do I change my password when the hash of my face/finger/etc gets exfiltrated?  Identity theft will actually get easier as these technologies get adopted, just watch.  Criminals/state actors with anything from homegrown Beowulf clusters to server farms of Cray3s are gonna wholesale rainbow your hashes and then you are stuck. Polynomial time becomes real time as Moore's law marches on and the attackers weaponize faster than the defenders.

 

ANY static form of ID is a poor choice. Really poor. As in really, really, irrevocably poor.  Don't believe me? Consider your social security number. A really bad Identity tool that will NEVER go away because of ubiquity. Biometrics are a more permanent version of this.

 

Anyway, that's my underinformed, highly opinionated take on this :).

 

Dan S.

 
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14633
PUBLISHED: 2018-09-25
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The at...
CVE-2018-14647
PUBLISHED: 2018-09-25
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming larg...
CVE-2018-10502
PUBLISHED: 2018-09-24
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version 4.2.18.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exist...
CVE-2018-11614
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Samsung Members Fixed in version 2.4.25. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists wit...
CVE-2018-14318
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S8 G950FXXU1AQL5. User interaction is required to exploit this vulnerability in that the target must have their cellular radios enabled. The specific flaw exists within the handling of ...