Security watchers have given Apple’s introduction of facial recognition technology a cautious welcome.
The newly unveiled iPhone X smartphone débuts an advanced facial recognition technology, called Face ID, which relies on Apple’s TrueDepth camera system. The technology features seven sensors and machine learning algorithms that quell previous fears that something as unsophisticated as a stolen Instagram selfie might be harnessed to defeat the technology.
A "secure enclave" is used to store the detailed mathematical model of a user’s face. All processing is on-device only, allaying concerns related to sensitive data being processed in the cloud. Users will be able to use the tech to either unlock their smartphone or make purchases.
The feature has the potential to shape the future of biometric authentication, according to some. Others caution that authentication via facial recognition is not new and that no security measure alone is a silver bullet.
“While it is difficult to replicate the facial features of a user, early attempts at this technology in consumer devices were easily defeated by simply placing a picture of the users face in front of the camera,” said Stephen Cox, chief security architect at SecureAuth. “The iPhone X has 3D capabilities that can judge distance, a mitigation for this vulnerability. It remains to be seen how effective it is, but you can bet that the hacker community will fervently try to defeat it.”
“Still, no single authentication technique is beyond the reach of attackers. Devices will be hacked and sensors will be tricked. It is important to layer such technology with adaptive authentication methods, such as IP reputation, phone number fraud prevention capabilities or behavioural biometrics,” he added.
As a replacement for fingerprint authentication, this feature has only one advantage: it is unlikely to be able to unlock the phone when the owner is asleep
Other researchers saw little advantage in facial recognition beyond what was already offered by fingerprint recognition.
“Fingerprint scanning, facial recognition, Bluetooth, geolocation and even a short PIN are all ways to simplify access not only for yourself, but also for a potential attacker,” said Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies. “Even if the new Apple algorithm for facial recognition cannot be fooled by photography, vertical self-videos can easily be found in the public domain - for example, on Instagram - and could be used to crack the device.
“As a replacement for fingerprint authentication, this feature has only one advantage: it is unlikely to be able to unlock the phone when the owner is asleep,” she added.
Hackers have defeated the Touch ID technology that has been superseded by Face ID. Galloway reckons it’s only a matter of time before attacks against Apple’s latest authentication technology are successful.
Simon Migliano, head of research at Top10VPN.com, struck a more upbeat note. "From its court battle with the FBI over the contents of a private phone to the popularisation of the secure Touch ID and its role in contactless payments, Apple has earned our trust when it comes to security, and I don’t see this being any different.”
Data breaches, password reuse and related issues have spurred interest in biometrics as a way of offering stronger two-factor authentication.
Passwords and PIN numbers can be copied, stolen, guessed or shared easily. Biometrics are not without their drawbacks while presenting the potential to offer customers and businesses alike a more secure choice of authentication and verification. The wider availability of an ever-increasing array of biometric technologies with the latest generation of smartphones is likely spur more widespread adoption.
Ollie Hayler, business development director for PalmSecure Biometrics at Fujitsu Cyber Security & Enterprise, commented: “While we don’t expect biometric adoption to happen overnight, the proliferation of biometric technologies in consumer devices such as the Apple iPhone will result in consumers becoming more familiar and comfortable with the technology. As such, biometric verification of identity on a personal device will, in one way or another, become a standard identification process.” ®