One of the most notable features of the recent iPhone X launch is the FaceID, which replaces TouchID and/or pin that many users already have. There has been some concern among close watchers of Apple that FaceID will be finicky and annoy users to the point of them not using it. But on a longer-term scale, the wholesale move towards biometrics is a good thing for the state of security.
Biometric security or authentication is nothing new, and indeed the existing TouchID that many people already use is another example of this. But Apple’s continued implementation of it is a further sign that we’re moving away from past forms of security. As MacWorld put it, “rather than a password (something you know) or a security dongle or authentication app (something you have), biometrics are something you are.”
This something-you-are model is important because it reduces friction. Indeed, if you ask any security researcher, they’ll tell you that the main barrier to getting users to improve their security habits is friction, or any additional step users are expected to take in addition to simply logging in. For example, the 2-step verification that Dropbox offers—which sends a text message to a user’s phone each time they log in—is reportedly only used by less than 1% of users. That’s rather surprising when you consider that Dropbox is a service that potentially holds all of a user’s files related to work or personal matters; if they won’t use it on that, what will they use it on?
Security expert Troy Hunt says the same resistence is true of pin codes on iPhones: “It’s a perfect example of where security is friction. No matter how easy you make it, it’s something you have to do in addition to the thing you normally do, namely entering a username and password. That’s precisely the same problem with getting people to put PINs on their phone and as a result, there’s a huge number of devices out there left wide open. How many? It’s hard to tell because there’s no easy way of collecting those stats. I found one survey from 2014 which said 52% of people have absolutely nothing protecting their phone. Another in 2016 said the number is more like 34%.”
So, with FaceID, Apple is signaling its intent to move to a totally friction-free authentication method, which is a boon for its users down the line. But that doesn’t mean it’s not without risks. There are still some ways that biometric logins pose risks that pin codes do not.
First, let’s understand just how FaceID works. According to MacWorld: “Apple uses a combination of infrared emitter and sensor (which it calls TrueDepth) to paint 30,000 points of infrared light on and around your face. The reflection is measured, which allows it to calculate depth and angle from the camera for each dot. Together they create a kind of 3D fingerprint of your face that can used to compare against later, and use the same system for live tracking for Animoji, the talking animals heads that match your facial expressions and lip movement, and other selfie special effects.”
So how much risk is there? According to Apple’s iPhone X launch, there is a 1 in 50,000 chance that someone could unlock your phone with a false positive using TouchID. Using FaceID, however, the odds are even lower at 1 in 1,000,000. Due to the use of infrared sensors and what’s called a “dot projector”, neither a picture of you nor a mask used by another person can unlock it (because the phone can tell it’s not a human, even though it may look like you).
However, Troy Hunt goes on to say that the 1 in a million figure is perhaps not what we should be looking at: “The right number would be the one that illustrates not the likelihood of random people gaining access, but rather the likelihood of an adversary tricking the biometrics via artificial means such as the gummi bears and PCBs. But that’s not the sort of thing we’re going to know until people start attempting just that.”
Indeed, while some risks do remain—evil twins compelled to unlock a phone against your will and gaining remote access—biometric authentication does reduce the friction of securely using a phone. For that vast majority of users, that will be a good thing.