With the announcement of the premium Apple iPhone X, the company left behind what it called the “gold standard” of smartphone security in Touch ID to focus on facial recognition with Face ID.
During the iPhone event in Cupertino, Calif., Phil Schiller, senior vice president of worldwide marketing for Apple, said the iPhone Face ID system was built on a new system called TrueDepth. This system combines a traditional camera, an infrared camera, a depth sensor and a dot projector — which projects 30,000 infrared dots onto the user’s face — to create a “mathematical model of your face.”
This model is then run through the Neural Engine — a part of the new A11 Bionic system on a chip — to compare the new scan against past models. The system will be able to learn over time to adapt as a person’s appearance changes with new hairstyles, facial hair, glasses and so on. All Face ID data will be stored in the Secure Enclave on the user’s device and not transmitted to the cloud.
According to Schiller, the chance of a random person being able to unlock another device with the Touch ID fingerprint scanner was one in 50,000, but the iPhone Face ID should have a one in 1,000,000 chance of a false positive — a twentyfold improvement. Schiller did note this likelihood would be higher if people share DNA, but claimed it should be able to tell the difference between a user and “an evil twin.”
The iPhone Face ID security system was tested against realistic masks designed by Hollywood special effects teams, Schiller said, and it was not fooled. Additionally, iPhone Face ID unlock requires the user’s attention and will not work if the user is looking away or has his or her eyes closed. The Face ID security feature will be available exclusively on the iPhone X premium model and not for the forthcoming iPhone 8.
Experts react to iPhone Face ID security claims
Jackson Shaw, senior director of product management at One Identity, said the improvement in false positives is impressive.
“I am willing to bet Apple has spent a considerable amount of time considering how best to implement Face ID and Touch ID and the tradeoffs between them,” Shaw told SearchSecurity. “No system can be foolproof or perfectly secure. Fingerprint biometrics suffered from the ‘gummy bear’ spoof for many years. What matters is how you stack or layer authentication methods. For example, a PIN code or password to unlock a phone plus a facial biometric would probably near being foolproof.”
Veronica Valeros, researcher for the cognitive threat analytics team at Cisco, thought iPhone Face ID security could be a game changer.
The #FaceID technology introduced by Apple will strongly influence the future of privacy and security.
— _Veronica_ (@verovaleros)
September 12, 2017
Richard Goldberg, principal and litigator at the law firm Goldberg & Clements in Washington, D.C., said legal cases “that permit an order to unlock an encrypted phone using a person’s fingerprint would appear to permit an order to unlock an encrypted phone using a person’s face.”
“However, it is worth remembering that some courts continue to strenuously object to orders demanding a fingerprint to decrypt a device, because the act of production is testimonial and, therefore, cannot be compelled. Federal courts in the 7th and 11th Circuits have held that the act of production using a fingerprint is protected by the Fifth Amendment. So, the uncertainty remains,” Goldberg told SearchSecurity. “The new emergency feature in iOS 11 that will disable biometric unlocking appears to solve some but not all of the security concerns. So, the best option remains simply shutting off the phone, which prevents access without the passcode.”