FaceID v/s.Touch ID! Iphone X Too Convenient to be Secure?

The new biometric-Face ID uses a 3D scan of the face as a password to unlock their device

In an attempt to make things more convenient, Apple, with its new iPhone X, might be exposing its users to a serious security risk.

The new iPhone X has removed the home screen button and has put up a face recognition technology to unlock the iPhone. The new biometric-Face ID uses a 3D scan of the face as a password to unlock their device.

FaceID requires the person to simply look at their phone and it automatically recognizes the user’s face in a no time and unlocks itself. It also replaces Touch ID for Apple Pay. This means, even for transactions, all a user has to do is to look at his/her to authorise the transaction.

Apple executive, Phil Schiller said in the launch keynote: "With the iPhone X, your iPhone is locked until you look at it and it recognizes you. Nothing has ever been more simple, natural, and effortless. This is the future of how we'll unlock our smartphones and protect our sensitive information."

Apple states that unlocking a phone via FaceID will be way more convenient than unlocking it with fingerprints, now that users won’t have to worry about wet hands etc. Apple is working too hard to make things convenient for its users.

What are the security concerns?
However, the use of FaceID seems to be so effortless it raises a lot of security questions.

In the past, there have been many cases where a face recognition technology has been easily spoofed by using simple tricks. In 2009 security researchers demonstrated that they could spoof the face-based login system of laptops just by using a printed photo held in front of the camera.

Not only that, in 2011, Android had a face unlock feature that required the person to blink in front of the camera before the phone would unlock itself. Researchers were successful in bypassing the security with a little photoshop effect.

Although it is clear that hacking iPhone’s FaceID won’t be a child’s play. The new version of iPhone uses an infrared system to cast a grid of 30,000 invisible light dots onto the user’s face.

The user is required to rotate his/her head while the camera captures the distortion of that grid to map the face’s 3D shape.

A security researcher said that the iPhone FaceID might be harder to crack, but it is certainly possible by 3D printing the victim's head."The moment someone can reproduce your face in a way that can be played back to the computer, you’ve got a problem," he further adds "I’d love to start by 3-D-printing my own head and seeing if I can use that to unlock it."

What was Apple's reaction?
Despite the security concerns, Apple is quite confident with their technology by saying that Face ID cannot be fooled by photographs, and they have tested the system against face masks which means that even a photo-realistic face mask won’t fool it.

It’s also confirmed by the company that Face ID does get confused by identical twins. Further, Apple said that Face ID needs the user’s attention. It will require some kind of user’s interaction in order to successfully unlock the phone.

Apple's Schiller said in a Keynote that even 3D printing the head won't work in spoofing the FaceID. To further prove his point, he showed a photo of minutely detailed masks created by Hollywood special-effects consultants that he said Apple used to test the feature.

Biometrics or passwords?
There are pros and cons of both methodologies. While using Biometric like fingerprints or facial recognition is easy and convenient, but at the same time if someone is successful is replicating a person’s biometric data, unlike password they won't be able to change it. The hacker will gain a life time access to their data unless of course, they use a different finger to unlock. A person can still not have two faces though.

On the other side, if a user has a weak password or he/she becomes a victim of social engineering that also will lead to a major security risk.

Besides this, there is one more risk especially to facial biometric data that a person’s face sits out in the open. Anyone can get hold of a victim’s pictures and use it to bypass the facial authentication system.

In order to achieve a maximum level of security passwords and biometrics, both of them should be required to unlock a device. Even if one layer of security gets bypassed the user will still remain secure.

Ankush Johar, director at BugsBounty.com, said: “No matter how convenient, the FaceID has a potent risk. Passwords are completely private and if needed can be protected with precautions. Your fingerprints, on the other hand, have a potential to be picked up from anywhere as you can’t just wear gloves everywhere.

"Now, with FaceID, your sole authentication medium is always out in the open, up for grabs. If your phone can use an infrared scan to trace every inch of your face then so can any other hardware. It’s about time that someone finds a way to replay it back to your phone and it’s game over then.

“Apple, however, can ensure that they are the first to know about any such attack or a vulnerability that exposes FaceID to such risks by staying prompt with their active bug bounty program. An increased bonus bounty offer might help Apple to grab the attention of security researchers all across the globe before a million dollar or two are offered in the underground community just as with the present mechanisms.”

Tags assigned to this article:
FaceID Touch ID iPhone X


Around The World