With the launch of the iPhone X, Apple unveiled the new Face ID security feature, which uses your face to unlock the device and replaces the iPhone’s fingerprint-biometrics feature, Touch ID.
How effective is Face ID and facial authentication in general? Though some experts are for it and some are against it, in my experience, an authentication measure must meet three requirements if it is to be truly effective: It must be reliable, easy to use and secure.
Under this rubric, does the Face ID security feature measure up? Let’s see.
Is Face ID easy to use?
Facial authentication isn’t hard. You just look at the camera (or not, depending on your settings) and it works. With the iPhone X’s True Depth camera system which uses infrared light, you don’t even need a flash as Face ID is designed to work in the dark.
This makes Face ID both easier than other forms of authentication and more accessible. Fingerprint scanning may not work if you’ve been swimming, showering, or even sweating, voiceprints can be obnoxious to use — especially when you’re not alone. (Besides, do you want everyone around you knowing what you’re doing on your phone?)
Passwords and passcodes, meanwhile, are notoriously difficult to remember – particularly because we have so many of them. They also take time and effort to enter. Looking at your phone, however, takes no time or extra effort at all.
So Face ID seems to get a passing grade on UX. But what about reliability?
Is Face ID reliable?
What about false positives? Will Face ID be too accessible – to the point of unreliability? Apple concedes that a user’s twin or other close family member could look similar enough to a user to trigger a false positive. Worse, researchers have been able to brute force facial authentication in the past. Time will tell as to how effectively Apple did its 3D-scanning homework.
Apple further notes that false negatives can happen too if the user him- or herself undergoes a notable but not uncommon appearance change – such as a shaven “mountain man” beard or a drastically different haircut – requiring a reset.
At least on this latter point, the Face ID security feature arguably does well to be less static and more dynamic than other facial-authentication systems. But that’s not a reliability issue so much as it is a security issue.
Is Face ID secure?
Face-based authentication appears far more secure than that of fingerprint-based authentication. Actual faces are not as surreptitiously borrowed as actual fingerprints – and Apple reports that Face ID will only work if the user is looking at his or her phone in a way that demonstrates “engagement” (although, again, this feature can be turned off).
The difference between facial authentication and fingerprint authentication becomes even clearer when comparing – ahem – Apples to Apples. The company reports that, while 1 in 50,000 fingers could unlock the same Smart Touch-enabled iPhone, only 1 in 1,000,000 faces could unlock the same Face ID-enabled iPhone. Sounds like some pretty meaty security, yes?
Except that guessing the right six-digit passcode on an iPhone is also a 1 in 1,000,000 shot.
As long as users avoid common passcode patterns (e.g., sequential passcodes, repetitive passcodes, and passcodes bearing “19” or “20” in reference to a recent year), a six-digit iPhone passcode is about as secure as Apple’s Face ID. Furthermore, longer alphanumeric password (for all of their problems), assuming sufficient entropy, could potentially be even more difficult to unlock than a Face ID-enabled device – especially because password users may enjoy more legal protections than biometric users do.
So what’s the point?
Should you keep your face (password) to yourself?
You don’t have to be an InfoSec expert to know the fundamental rule of cybersecurity: Don’t make your password public.
Your face, however, is definitely public – especially in these days of social media oversharing, online dating profiles, nearly ubiquitous government surveillance, and so on.
Authenticators, as a rule, work best when they are kept private. Otherwise, they can be easily leveraged for identity theft. Think getting your Social Security Number exposed is bad? What about when your body biometrics becomes compromised?
If your face – or other static biometric marker, like your fingerprint, your iris, etc. – does become compromised, so too can your entire identity. I can overwrite your biometric data with my own. I can become you.
I’m not ready to break out my tinfoil hat just yet. For my part, I still use fingerprint authentication on my devices, which – admittedly – is not as secure as facial authentication. But my fingerprints aren’t quite as public as my face is. For now, I’ll just try to keep my face to myself.