• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Apple Face ID: Safe, but not as safe as multifactor authentication

November 3, 2017 By The Editor

iPhone X

Apple’s new flagship phone, the iPhone X (pronounced “iPhone Ten”) launches today to sky-high levels of hype and a certain amount of skepticism from the security and privacy community. Apple has removed the fingerprint sensor from the iPhone X in favor of a facial recognition system called Face ID. Facial recognition has a long history in science fiction, but most early real-world attempts at the technology were full of errors and easy to fool. This presents some serious security and privacy issues. After Apple’s initial announcement, Twitter was full of memes about Arya Stark and the Faceless Men from Game of Thrones!

So how secure is Face ID? Our CTO Corey Nachreiner answers that questions and more in a column in Tech Beacon. Corey argues that Face ID is extremely secure, but requiring multi-factor authentication to log onto the phone would be even stronger.

Many early facial recognition systems were based on processing flat, 2D images and could be fooled by a photo of a face. In fact, this photo bypass trick still works with some of the latest facial recognition in new devices like the Samsung Galaxy S8. To combat the simple photo attack, facial recognition technology started adopting new “liveness detection” or motion tests. Beyond just recognizing your face, new algorithms would also look for certain motion, such as blinking eyes or a smile, in order to ensure they were looking at a live person. Unfortunately, many of the systems looking for motion were quickly defeated with simple videos, or even by editing a “blink” into a photo, and switching between the two photos. 

Finally, a few of the more advanced 2D facial recognition systems started to leverage camera motion to get a pseudo-3D view of a face. The shape of a 3D object like your face alters in a predictable manner as a camera moves or changes angle. This is due to a visual effect called parallax, which creates a pseude-3D or “2.5D” effect. Some facial recognition systems leverage this camera motion to defeat the static photo attack. If an attacker shows a simple picture to such a system, the angle of the face in the picture doesn’t change properly as the camera moves, making these types of facial recognition systems much harder to spoof. However, when there’s a will, there’s a way. Just last year, researchers figured out a way to spoof these moving facial recognition systems. 

Apple solves these issues in Face ID. It goes beyond just tracking motion from 2D video, to actually mapping 3D environments using a technique called structured light. This technology, also used in the Xbox Kinect, creates a complete 3D map of each user’s face. This solves many of the issues of 2D facial recognition and makes the system much harder to fool.

But Corey also argues that no single security factor, even a strong biometric one like Face ID, will ever be as strong as multi-factor authentication. Here’s an excerpt from the article where he makes this point. 

Rather than using different factors individually, we need to pair two or more together. With enough time and effort, someone could probably create a convincing copy of your face, but what if your phone or bank account required both your face and password to log in? That would make it exponentially harder to crack. 

In the end, I believe multifactor authentication is your only truly secure option for protecting critical information. Rather than quibbling over whether Face ID is more secure than Touch ID, or if certificates are more secure than passwords, we should realize that all authentication factors have weaknesses. Apple did well in designing Face ID, but unless you pair it with something else, hackers will eventually defeat it.

Read the whole article on Tech Beacon (you probably need reading material while you’re waiting in line for an iPhone X) and learn more about iPhone X security here on Secplicity. 

Share This:

Related

Filed Under: Editorial Articles, Featured

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use