No, Apple’s Face ID Is Not A ‘Secure Password’

Apple has announced its new smartphone, iPhone X. The device is extremely expensive, starting at $999 (or $1331 in the UK), so potential buyers are asking themselves: Is it really worth it?

One factor that might influence your decision is the fact Apple seems to want more money for fewer features. Most prominently, iPhone X doesn’t include a ‘Touch ID’ fingerprint authentication system, but instead checks that your identity is authentic with ‘Face ID’, which is used to unlock the phone and authorize payments. That prompts another question: Is Face ID better?

You might expect a new system to offer better security, and Apple’s website states that ‘Your face is your secure password’. That statement is misleading, however.

In this article, I’ll explain why, and compare face recognition to other approaches to biometric authentication, including fingerprints.

The impact of Touch ID

Your fingerprints and face are a ‘biometric’, a measurable biological characteristic. The main benefit of biometric security is obvious: if a thief can’t use a phone because it’s secure, they have less incentive to steal it.

Secure authentication is a desirable feature because your phone is valuable — not only in terms of financial cost, but because of the priceless data it holds, like irreplaceable photos, private messages and email addresses.

Biometric security is popular because it’s so simple to use, says Professor Anil Jain of Michigan State University. “There’s no need for a passcode, you just put your finger or face in front of the mobile phone and it will unlock it.”

At Apple’s recent event, CEO Tim Cook said that iPhone “revolutionized security and privacy with Touch ID”, and marketing chief Phil Schiller later added that “Touch ID became the gold standard in consumer device biometric protection.”

Jain, who has developed numerous technologies for both fingerprint and face recognition, agrees. “Prior to Touch ID, most users did not protect their phone with a passcode or a PIN code, they would just leave it unlocked all the time.”

While Apple wasn’t the first to include fingerprint authentication, it did pave the way for the technology to become mainstream. “For the last 4 years since iPhone introduced Touch ID, almost every major vendor has been following in their footsteps,” says Jain.

So if Touch ID remains ahead of the competition, why is Apple switching to Face ID? Well, the company answers that on its site: ‘Our vision has always been to create an iPhone that is entirely screen.’

Like competitors such as Samsung, Apple wanted to make a premium phone with a so-called ‘edge-to-edge’ display, which eliminates unsightly bezels around a screen. But removing bezels creates a problem for another feature: the fingerprint sensor.

Where could the sensor go? One option is on the back of the phone, as found on Samsung’s Galaxy S8 and other Android devices. Another is to integrate it within the display. “That’s a little bit tricky because sensing the fingerprint beneath the glass adds more complexity in terms of the fingerprint image quality,” Jain explains. Some sources claim Apple abandoned the approach after failing to get embedded Touch ID to work, others say the company decided early-on that they didn’t need it.

Whatever the reason, the end result for iPhone X is the same: Apple ditched fingerprints in favor of another biometric: the face.

Security of Face ID

Phone makers must consider two aspects of biometric security: protection of stored biometric data, and defence against ‘presentation attacks’ that use fake — or ‘spoofed’ — biometrics to try and fool an authentication system.

To protect stored biometric data, it should be kept in an isolated part of a smartphone’s internal memory and not transmitted to a database on an external computer server. As Apple’s Phil Schiller said, “Your face data’s protected with a secure enclave… the processing is done on iPhone X and not sent to a server”. Jain believes that’s the best storage solution for biometrics. “It is not in some central database, which is [more] likely to be hacked.”

To defend against spoof attacks, you have to fight hackers constantly. “Spoofing and anti-spoofing is essentially a cat-and-mouse game,” says Jain. “Imposters will keep pushing the limits of spoofing, and the phone manufacturers will have to do their best to counter that.”

No authentication system is unbeatable, and new ones are especially vulnerable. A hacker group defeated Touch ID within weeks of its release, for example, and last year Jain’s team showed that Samsung’s Galaxy S6 phone could be unlocked with fake fingerprints from an ordinary inkjet printer using special photo paper.

Schiller said Apple’s engineering team “worked hard to make sure Face ID can’t easily be spoofed by things like photographs”, testing the system with realistic models created by professional mask-makers and make-up artists in Hollywood.

But Apple can’t rest on its laurels if it’s to stay ahead in the cat-and-mouse game. Although Face ID has only just been announced, strategies that could potentially beat it already exist. At a 2016 Usenix Security Symposium, a University of North Carolina team described how they collected pictures from social media to create animated 3D models in virtual reality, which were used to bypass face recognition. Some security researchers aim to unlock iPhone X by 3D-printing a head.

A spoofer can find photos of your face if family or friends post pictures on Facebook, whereas fingerprints are left behind on surfaces in public places, such as restaurants or bars. While such identity theft might sound like a scene from spy movies, those scenarios are certainly possible.

Although spoof attacks might be a concern if you’re a celebrity with a sex tape, for instance, most people are probably safe from hacking because their data isn’t very valuable. “The average person doesn’t need to worry too much about it,” says Jain.

Comparing biometrics

How does Face ID compare to Touch ID? That question is difficult to answer, but there’s certainly no real evidence to prove it’s more secure, regardless of what Phil Schiller implied at Apple’s recent event:

“The chance that a random person could use their fingerprint to unlock your iPhone is about 1 in 50,000,” Schiller said. “What are the similar statistics for Face ID? One in a million. The chance that a random person in the population could look at your iPhone X and unlock it with their face is about one in a million.”

The stats are mathematical misdirection to hide a leap in logic, as comparing those numbers isn’t relevant to security. Unless the figure is really low (say, 1 in 100) then it doesn’t matter how many random people it takes to accidentally unlock your phone. The issue is whether a particular person — a thief — could deliberately spoof your identity after acquiring biometric data. It’s also easy to change a passcode but not your identity, so it’s a bad idea to return to face authentication once your features have been compromised.

Understanding why Face ID isn’t more secure involves being able to distinguish between absolute and relative security. Although face recognition is absolutely better than no protection at all, it’s not relatively more secure than Touch ID.

To Schiller’s credit (and as I would expect from a fellow biology graduate), he also admitted that the unlikelihood of someone unlocking your phone is “lower if that person shares a close genetic relationship with you” and “if you happen to have an evil twin, you really need to protect your sensitive data with a passcode.”

This strongly suggests that a PIN code or password is more secure than Face ID, which contradicts Apple’s claim that ‘Your face is a secure password’. In many circumstance, ‘password’ could be taken a figure of speech, but in the specific context of security, it’s an inappropriate use of the word.

Could you prevent someone stealing your iPhone X? According to Apple’s software engineering chief Craig Federighi, there are two mitigation options: don’t stare at the phone (Face ID is ‘attention aware’ so only unlocks after eye contact) or grip to press buttons on both sides of the device to temporarily deactivate face recognition.

Both require an optimistic — even unrealistic — response to being confronted by a criminal or cop, a scary situation where your adrenaline is pumping and you might not have the presence of mind to remember to disable Face ID. And is it worth risking your life if a mugger with a knife or gun orders you to unlock your phone?

As Schiller correctly stated, “There’s no perfect system, not even biometric ones.” That still doesn’t answer the question of whether biometrics are more secure though.

There are three approaches to authentication, which rely on having things that you: 1) know, 2) have, or 3) are. For example, a passcode is something you know, an ID card is something you have, and a fingerprint is something you ‘are’. So should you secure iPhone X with what you are, or what you know?

One advantage of a passcode is that you might not be compelled to reveal it to police or government agents (customs, border control or FBI) if you invoke the Fifth Amendment, which protects American citizens from self-incrimination, whereas you could be forced to unlock your phone (or end-up in jail), which suggests that your face is vulnerable too.

On the other hand, Face ID is easy to use. “From the perspective of usability and user convenience, perhaps face recognition is better than a passcode,” says Jain. In fact, despite the ‘secure password’ slogan, Apple’s site doesn’t explicitly claim that Face ID offers greater security, only that it’s ‘even more convenient’.

The future of phones

Faces and fingerprints are sensory inputs recognized by computers, or what scientists call a ‘modality’. Phones can currently use four modalities: face, fingerprint, iris and voice. Which of those is best for security?

Voices are rarely used because noisy environments make them unreliable and they’re easy to copy, whereas irises are best as eye scans are hard to find online, as Jain points out. “People don’t have their iris images posted on a website.”

By depriving iPhone X of Touch ID, users who would otherwise choose fingerprints won’t be able to do so. Apple seems to want to leave its popular modality in the past, with Phil Schiller saying “Face ID is the future of how we will lock our smartphones and protect our sensitive information.”

Jain disagrees, predicting that future devices will be ‘multi-modal’ — they will use multiple modalities. “I believe that a mobile phone will have all four capabilities of biometrics — face, fingerprint, iris as well as voice,” he says. “The advantage of multi-modal is that the user may have a choice.”

While people may not always approve of Apple’s choices of which technologies to include (or exclude in the case of the headphone jack), the company’s track record suggests Face ID will be well implemented — ‘it just works’.

For those planning to buy iPhone X, the question is whether face recognition works best for you.

JV Chamary is an award-winning science journalist. Follow him on Twitter / Google / Facebook

|FORBES