Unless you were hiding under a rock this Tuesday, you probably heard Apple’s big announcement about the iPhone X. The most important part of that announcement for the security community was that Apple is getting rid of the Home button and its fingerprint ID in favor of a facial recognition system in the new iPhone X. Called FaceID, it uses several sensors, including the front-facing cameras and an IR sensor, to recognize its user’s face and unlock the phone when they look at it. Our CTO Corey Nachreiner was quoted in Dark Reading and Security Week about the security risks of this new technology.
Here’s an excerpt from the Dark Reading article about the importance of multi-factor authentication. Nachreiner says while he strongly believes in biometric authentication, “bad actors will continually find ways around different identity tokens, even biometric ones.” The key, he says, is layering multiple forms of authentication in a way that’s still convenient for users.
The good news is that Apple’s system seems quite secure. They claim that FaceID will recognize its owner with just 1 out of 1,000,000 false positives, even at night. Corey notes that “The combination of a camera and IR sensor make this system quite accurate and difficult to trick.” This is a huge improvement from early cell phone facial recognition systems, some of which could be fooled by putting a picture of the owner in front of the camera.
But a single secure token (even an extremely secure one) can eventually be overcome by a smart and determined threat actor. That’s why we advise everyone to use multi-factor authentication for their important logins. Another downside to FaceID is that the iPhone now has a 3D model of its user’s face. While Apple products are extremely hardened, this does introduce a new piece of user data that could be stolen or abused. Edward Snowden (who knows a thing or two about security and privacy) acknowledged on Twitter that Apple’s system looks robust, but he still believes normalizing facial scanning will lead to future abuse.