Endpoint

9/13/2017
04:52 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Experts Weigh Pros, Cons of FaceID Authentication in iPhone X

Security pros discuss Apple's decision to swap fingerprint scanning for facial recognition technology in the latest iPhone.

Apple demonstrated FaceID, its new 3D facial recognition technology, on Sept. 12 as part of the iPhone X. FaceID will replace TouchID fingerprint scanning in the latest iPhone, which doesn't have a home button, to authenticate users so they can access apps and Apple Pay.

If you were apprehensive after the announcement, you're not alone. Apple isn't the first company to use facial recognition and others have been unsuccessful. Samsung's Face Unlock proved easy to hack when a user logged into one phone using a photo of himself on another; before that, Android's facial scanning tech could be similarly fooled.

Apple uses a different kind of technology, which it promises is more secure. The TrueDepth sensor on iPhone X has a dot projector, flood illuminator, and infrared camera in addition to the built-in camera. The phone creates a 3D map of a user's face and dimensions of their features. Data is locally stored in the iPhone's secure enclave.

"FaceID uses AI in addition to the static biometric recognition techniques," says Zighra CEO Deepak Dutt. "The algorithms bring an adaptive piece into the picture which continuously learns. FaceID typically would have a learning phase where the engine would build a 3D model of the user's face from a large number of data points."

Apple claims its FaceID authentication is 20x more accurate than TouchID. Only one in 1,000,000 people would have a face similar enough to a user's to successfully bypass FaceID -- the same failure rate as a six-digit passcode. In comparison, there is a one in 50,000 chance a random user could log into an iPhone with TouchID using a fingerprint.

So is FaceID really more secure than TouchID, or a passcode?

One concern about FaceID is in its current implementation, only one face can be used per device, says Pepijn Bruienne, senior R&D engineer at Duo Security. TouchID lets users register up to five fingerprints. If a third party obtains a user's fingerprint and reproduces it, and the user is aware, they could register a different unique fingerprint.

This is not the case with FaceID, he says, though an attacker would need a 100% reproducible bypass using an easily obtainable picture of a user's face. Once the system is broken and can be bypassed using a photo, a victim would have to fall back on using strong and unique passcodes. For some, the old six-digit key login is preferred.

"Given that a passcode can be made strong enough to make brute-force attacks useless, they will still have the preference for some security conscious users," says Bruienne. "When combined with good security hygiene, a strong unique passcode (which iOS allows) can be more secure but less convenient."

That said, passcodes also have their downsides. They cannot be forcibly divulged but can be snooped or coerced from users. An attacker with your passcode can get into your iPhone.

FaceID requires a user's attention and can detect whether someone is correctly holding the phone and looking at it to authenticate. This may lessen the chance of "sneak auths" in which someone holds up a phone and attempts to capture a user's face from a distance.

However, if someone has your body under their control, they can force your finger onto a sensor or force your eye open for an iris scanner. What happens if an attacker tries to use FaceID on a sleeping target, or law enforcement wants to get into a suspect's phone?

"It's one thing to compel someone to unlock a device with their finger," says Bruienne. "It's another thing to just point the camera at their face - [it] will be interesting to see how this is managed."

There has been discussion around forcible authentication. The five-click feature, which is reportedly part of iOS 11, would logically apply to both TouchID and FaceID. If someone expects possible forced authentication, they could use this to set the phone back to passcode login. Right now, there isn't a specific expression or fingerprint that would disable biometric login.

"We will not know of the quality of Apple's FaceID facial scanning until the security community tests it, but the combination of an IR sensor and camera makes this system quite accurate and difficult to trick," says WatchGuard Technologies CTO Corey Nachreiner.

Nachreiner says while he strongly believes in biometric authentication, "bad actors will continually find ways around different identity tokens, even biometric ones." The key, he says, is layering multiple forms of authentication in a way that's still convenient for users.

"While ease and usability are always a factor -- if it's too hard, people won’t use it -- relying on just a single token is asking for trouble," he explains.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.