Apple surprised everyone this week by announcing the new Face ID feature of the iPhone X, and It didn’t take a cyber security expert to ask the begging question: is this even safe?
The New iPhone is being promoted loudly with biometric security measures using facial recognition ID instead of passwords which seems pretty risky as many consumers just aren’t there yet, when it comes to biometrics.
There were several companies that have tried developing this feature in the past. Samsung’s facial recognition feature was circumnavigated by a picture of the person. Android had a similar feature that was easily hacked back in 2011.
A lot of funny consumer comments have already spun out of this PR launch. For example: what if I blink or twitch? What if someone uses a picture of the person or takes a picture when they are sleeping?
Although a lot of these are in jest, however, I for one would like to know if the unsuspecting iPhone owner be giving away access to their cell phone while they soundly slept?
The Wisdom of Apple
Apple have tried to counter fears and come back with a lot of good reasons why their Face ID feature has advanced and is safer. For one, they don’t just use a 2D image of a face, they have a special infrared camera and sensors to actually record a 3D image of the phone owner’s face. Secondly; it requires a person to look straight into the phone, it needs their undivided attention.
Why is this important?
Biometrics is part of the landscape of a more secure Cyber future. Especially because of the recent cyber-attack on Equifax, one of the credit bureaus that we had all trusted with our social security numbers, figures are now showing that up to 40% of all adults in the US have had their information stolen.
Any type of information that you can store somewhere like passwords, swipes, signatures can be stolen. Biometrics can be easier to use because it is not information that you can give away or replicate. Everyone has their fingerprint, their facial structure, etc.
The problem is that hackers are finding creative ways to go around it and in some cases, cyber-attacks on biometric information are proving to be even deadlier. Back in 2015, hackers got into the office of personnel management and stole 5.6 million fingerprints.
As you’ve probably figured out, I hope, that you can’t change your fingerprint (unlike a password). So those people can suffer the effects of the breach for years.
In a world where we can’t even trust our credit bureaus to store our information safely, how can we trust any company that stores our biometric information? Any system that stores our fingerprints or facial scans is bound to be hacked sooner or later.
So not to scare anyone here, but if you scan your face for a login, your face may re-surface on the dark web sooner than later. This method is not without its problems.
There are thankfully, several measures that companies could take to make biometric authentication more secure. For one they could put all the information on a cloud system and secure the endpoints.
Intel is developing something called Intel Online Connect which ensures that the local private key with its biometric templates and data processing is not available in the operating system of the device. This protects the biometric information against MitM and MitB attacks.
Let’s hope that this gen of iPhone comes with less hiccups than laughter.