• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Is the iPhone X’s Facial Recognition System a Security Risk?

September 15, 2017 By The Editor

3d face model

Unless you were hiding under a rock this Tuesday, you probably heard Apple’s big announcement about the iPhone X. The most important part of that announcement for the security community was that Apple is getting rid of the Home button and its fingerprint ID in favor of a facial recognition system in the new iPhone X. Called FaceID, it uses several sensors, including the front-facing cameras and an IR sensor, to recognize its user’s face and unlock the phone when they look at it. Our CTO Corey Nachreiner was quoted in Dark Reading and Security Week about the security risks of this new technology. 

Here’s an excerpt from the Dark Reading article about the importance of multi-factor authentication. Nachreiner says while he strongly believes in biometric authentication, “bad actors will continually find ways around different identity tokens, even biometric ones.” The key, he says, is layering multiple forms of authentication in a way that’s still convenient for users. 

The good news is that Apple’s system seems quite secure. They claim that FaceID will recognize its owner with just 1 out of 1,000,000 false positives, even at night. Corey notes that “The combination of a camera and IR sensor make this system quite accurate and difficult to trick.” This is a huge improvement from early cell phone facial recognition systems, some of which could be fooled by putting a picture of the owner in front of the camera.

But a single secure token (even an extremely secure one) can eventually be overcome by a smart and determined threat actor. That’s why we advise everyone to use multi-factor authentication for their important logins. Another downside to FaceID is that the iPhone now has a 3D model of its user’s face. While Apple products are extremely hardened, this does introduce a new piece of user data that could be stolen or abused. Edward Snowden (who knows a thing or two about security and privacy) acknowledged on Twitter that Apple’s system looks robust, but he still believes normalizing facial scanning will lead to future abuse.   

Read Corey’s full comments in Dark Reading and Security Week and learn more about biometric authentication and multifactor authentication here on Secplicity.

Share This:

Related

Filed Under: Editorial Articles, Featured

Comments

  1. Ted Putnam says

    September 20, 2017 at 8:02 am

    The downside of a single biometric factor in this case is the ability of a bad actor intent on getting your information without your consent to simply point the phone at your face while you are immobilized.
    The same can be said for a fingerprint reader unless it is backed up by a PIN or Swipe.

    I have always understood security to be at least two of the following:
    Who you are – Username or equivalent
    What you have – Physical Key or RSA Token, Authorization code by phone or email, etc.
    What you know – PIN, Password, Pattern
    Biometric Feature – Face / Iris Scan, Fingerprint

    While one could make the case the securing of individual access is now superseded by the massive data hacks, it is still important to best control access to personal resources the best way possible with dual factor authentication and encryption.

    After all, if there were a spate of burglaries in your neighborhood you would not be best disposed to leave your doors unlocked.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use