Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/19/2017
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

How Apple's New Facial Recognition Technology Will Change Enterprise Security

Expect a trickle-down effect, as tech similar to Face ID becomes offered outside of Apple.

Apple's new Face ID technology promises a security revolution for iPhone users — and it also promises to change all of enterprise security, eventually. While Face ID's primary audience consists of consumers who buy iPhones, Apple has created a new paradigm for security with a safer, faster authentication system. Similar technology eventually will filter down to devices of all kinds and enable organizations to provide their employees and customers with more secure experiences, protecting their data and keeping cybercrooks at bay.

Face ID, introduced by Apple at its product launch on September 12, is a major advance in biometric authentication, both over Touch ID (fingerprint) authentication that Apple devices have used until now and over other facial recognition systems. Apple says Face ID is so accurate that the chance of another random person's face being used to unlock your phone is 1 in 1,000,000 — much better than the 1 in 50,000 unlock error rate for Touch ID. Face ID bests other facial recognition systems as well; it's the first consumer-oriented 3-D facial recognition system, beating out systems in devices such as Samsung's Galaxy S8 and Note8, which are 2-D recognition systems.

The authentication provided by Face ID certainly will prove sufficient for use by organizations as an authentication method to "prove" that a device belongs to the user. Today, however, many organizations — often because of regulations, such as for apps that can access customer account information, or at least as part of best practices — require two-factor authentication. For most organizations, that means requiring users to input a password (something users know) in order to activate an app or log in to a website from a mobile device, coupled with a second authentication factor, such as a biometric marker like a fingerprint (something users are), or a text message sent to a user's device, which consists of a code that the user must enter into a site or an app (something users have) in order to access it. 

The fact that Face ID is superior to passwords as an authentication method should come as no surprise. The vast majority of major data breaches in recent years (think Sony, Target, major banks, etc.) were due to compromising of login data and password theft. According to a study by Verizon, more than four out of five data breaches are due to stolen passwords or misused credentials; it certainly wouldn't make sense to have such a weak authentication method to access sensitive data when such a strong authentication method is used to secure the device itself!

That's why, I believe, Face ID will be the catalyst that sets off a real revolution in data authentication. If Apple can implement such a strong authentication method for its devices, organizations will be searching for something at least as strong to authenticate their data on all devices out there that don't use Face ID. 

The fastest-growing solution for user authentication in enterprises is phone authentication, in which a mobile device — instead of a hardware token or a password — is used as an authenticator. Organizations that have sought higher levels of security have already ditched passwords, turning instead to authentication systems based on devices, which are considered more secure than passwords and, for an increasing number of organizations, their primary authentication method in a two-factor authentication scheme. 

Seeking better security, more organizations will increasingly dump passwords for device authentication, a system that can be used on any mobile device; the greater security provided by Face ID will, I believe, inspire many organizations to reconsider how they approach authentication, and opt for something more secure, even on devices other than the newest iPhones. 

Fingerprints have often been used as a second factor in a two-factor scheme, but now that second factor has gotten a major upgrade, two-factor authentication based on devices and used with Apple devices that support Face ID will present a formidable challenge — enough to discourage hackers from even trying to breach an Apple device. While Face ID currently is strictly limited to some Apple devices, it's just a matter of time until 3-D face recognition as an authentication method trickles down to the rest of the industry, as the industry follows in the path of market leader and innovator Apple. 

Combining proven device authentication systems with Face ID truly is a game changer — a revolution, even — and companies seeking to improve their security systems are going to be very attracted to this winning combination. Long live that revolution, I say. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Shimrit Tzur-David is the chief technology officer and co-founder of Secret Double Octopus, the world's only keyless multi-shield authentication technology that protects identity and data across cloud, mobile and IoT environments. Shimrit has over 10 years of research ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
markgrogan
50%
50%
markgrogan,
User Rank: Strategist
11/28/2018 | 7:23:39 AM
Re: Whoops
We all know just how much chaos data breaches have caused over recent years so companies ought to step up their security game. Facial recognition is one very advanced technique to show that they have absolute concern over their customers' safety and security, hence it shows that they are one step ahead. In the near future, consumers should expect more stringent security measures being put in place for sure.
dsichel
50%
50%
dsichel,
User Rank: Apprentice
10/21/2017 | 2:39:56 PM
Whoops
So I have one huge problem with this technology that I think is underestimated. I use my face, my fingerprint,  pick your biometric.  How do I change my password when the hash of my face/finger/etc gets exfiltrated?  Identity theft will actually get easier as these technologies get adopted, just watch.  Criminals/state actors with anything from homegrown Beowulf clusters to server farms of Cray3s are gonna wholesale rainbow your hashes and then you are stuck. Polynomial time becomes real time as Moore's law marches on and the attackers weaponize faster than the defenders.

 

ANY static form of ID is a poor choice. Really poor. As in really, really, irrevocably poor.  Don't believe me? Consider your social security number. A really bad Identity tool that will NEVER go away because of ubiquity. Biometrics are a more permanent version of this.

 

Anyway, that's my underinformed, highly opinionated take on this :).

 

Dan S.

 
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9342
PUBLISHED: 2020-02-22
The F-Secure AV parsing engine before 2020-02-05 allows virus-detection bypass via crafted Compression Method data in a GZIP archive. This affects versions before 17.0.605.474 (on Linux) of Cloud Protection For Salesforce, Email and Server Security, and Internet GateKeeper.
CVE-2020-9338
PUBLISHED: 2020-02-22
SOPlanning 1.45 allows XSS via the "Your SoPlanning url" field.
CVE-2020-9339
PUBLISHED: 2020-02-22
SOPlanning 1.45 allows XSS via the Name or Comment to status.php.
CVE-2020-9340
PUBLISHED: 2020-02-22
fauzantrif eLection 2.0 has SQL Injection via the admin/ajax/op_kandidat.php id parameter.
CVE-2020-9341
PUBLISHED: 2020-02-22
CandidATS 2.1.0 is vulnerable to CSRF that allows for an administrator account to be added via the index.php?m=settings&a=addUser URI.