iPhone X Face Unlock - A Biometric Engineer's Perspective
In case you aren't aware, the new iPhone X has removed the physical home button along with the integrated fingerprint reader. You will no longer be able to unlock an iPhone with your fingerprint - you will have to use a PIN or your face. I'm interested in the public perception of face biometrics, so I have read most of the blog articles discussing this topic. I wanted to summarize some of the points made about this, and how I see them as a biometrics engineer.
Caveat: I don't have any knowledge of Apple's face tech other than what has been posted publicly. I don't use an iPhone, but I do use a MacBook. I'm neither an Apple fan-boy, nor an Android fan-boy. For some reasons, many discussions about phones devolve into "religious" debates, but this one will be strictly technical.
The articles I have seen cover the following themes, many of these repeated for any phone-based biometric:
- You shouldn't use a biometric as a single factor to secure a phone
- Biometrics are easy to spoof
- Biometrics are not revokable
- You can be compelled to produce biometrics by law enforcement
- Face biometrics are dependent upon lighting and are slow/unreliable
- Apple's face biometric is better than a fingerprint
I'd like to cover each of these briefly in the following sections.
Biometrics as a Single Factor
The gist of this argument is that using a biometric (face or other) as a single-factor to unlock your phone is inherently insecure because it might be spoofed or bypassed in some way. While it is certainly true that a single factor is less secure than multiple factors, the real question is "How much security do you need?" I would guess that most of the bloggers complaining about the lack of security from using a face or other biometric to secure a cell phone have their homes secured by a conventional key lock. This is a single factor (something you have - a key) and it is super-easy to defeat by a locksmith or a 12-year-old who has practiced picking locks for a couple of hours. Security isn't about perfection or eliminating risk - it is about managing risk. The goal is to balance the cost of the security with the thing you are protecting. My guess is that people lock their phone for two reasons:
- They don't want obnoxious coworkers or family members messing with their phone (this is my main reason)
- If they lose their phone, they want to make sure strangers can't snoop through their stuff
Assuming I am right, we want to make sure our security is convenient, or it won't be used. I never used PINs because they take too long to type for the 40 times a day I use my phone. Having better security that no one uses is not a gain at all. For most people, the issue of biometrics as a single factor is just not important.
Biometrics are easy to spoof
So far all of the biometric implementations on phones have been relatively easy to spoof by dedicated hackers. It is really hard to make a biometric sensor completely immune to spoofing when you can't control the presentation to the sensor. From what I have read of Apple's face tech, it sounds very spoof resistant, and I am eagerly awaiting the results of hack attempts. However, this gets back to my previous point - how important is your phone, and what attacks are you expecting. Let's say you are the president, or a famous celebrity, or a terrorist. You should expect that someone may try to spoof biometrics to get into your phone, and they will probably be successful. So you should instead use a PIN (unspoofable) or two-factor authentication. Alternatively, you can just actively maintain a remote wipe capability so you can wipe your phone if it falls into the wrong hands.
Biometrics are Not Revocable
This argument comes up all the time with respect to biometrics as a form of authentication. The basic argument is that if someone gets your password you can change it. But if someone copies your fingerprint, you can't change that. I certainly can't argue with that logic, and it is an argument against using biometrics as a single-factor for authentication. The other way this is often discussed is to say "biometrics are a username, not a password." I'm not a fan of that because I think it muddies the waters, but it does have an element of truth to it. The fact that biometrics are not revokable isn't really an argument against biometrics, it is an argument against using biometrics as a single factor in a secure application. If you treat biometrics as a convenience for unlocking your phone, then the argument isn't relevant at all.
Biometrics and Law Enforcement
The issue here is very complex from a legal perspective, and to properly address it you need a panel of lawyers and constitutional scholars. Since I am not a lawyer, nor a scholar, nor a panel, I can't really address this except in a layman's view. Based upon what I have read, a PIN is considered "speech", while a biometric is considered the equivalent of a physical key to a lock. You can be compelled by law enforcement to give a key to a lock, but you are protected by the fifth amendment such that you don't have to divulge your PIN to allow them to unlock your phone. If you are planning to do illegal things with your phone, then you should not lock it with a biometric. However, that may change in the future if this ever goes to the supreme court, so make sure you keep up with case law. However, for most people this really isn't an issue.
Face Biometrics are Slow and Dependent Upon Lighting
This one is absolutely true! Face biometrics are annoyingly dependent upon lighting, and on cell phones a face match is usually slow. I have tried the face matching implementations from both Samsung and Google and they are way too inconvenient to use in practice. Details on Apple's implementation are still limited, but we do know they use infrared and lasers. Infrared is a good choice for this because it eliminates the variability in room lighting - in fact it should work fine in the dark. We use infrared at TIS for both irises and faces and it does solve a lot of problems. The laser thing is puzzling - supposedly it samples 30,000 points on your face to prevent someone from using a 3-D printed mask of your face. That will be interesting to see, and something brand new in biometrics. So it sounds like Apple has solved the lighting issue. What remains to be seen is how fast it is. To be a convenient unlock solution, it needs to reliably verify you in a second or less (like TouchID does now), otherwise people just won't use it.
Apple's Face Biometrics is Better than a Fingerprint
I keep seeing this one pop up and it is really annoying to me because it is true, but probably irrelevant. Apple's previous fingerprint implementation had a specification of having a better than 1 in 50,000 probability of a false match. In other words, if an imposter tried to unlock your phone they would have a .002% chance of getting lucky. Apple claims their face matching is better than 1 in 1,000,000 probability of false match. In that case an imposter would have a .00001% chance of success. That is certainly better, but I can't imagine that it will ever, ever make any difference to anyone. The iPhone will lock and force a PIN after a small number of attempts (5?) so it isn't like you can line up a bunch of people to try to break into a particular phone. If you are in a position where 1 in 50,000 is not good enough for you, but 1 in 1,000,000 is your requirement please reach out to me because I would love to hear your story.
Apple is getting an unusual amount of grief for the face unlock, but it is a lot of the rehashed arguments that have been levied against the use of any biometric security in other phones in the past. However, if you treat the unlock as a "lightweight" convenience security mechanism, then most of these criticisms are totally irrelevant. And if you are expecting a complex biometric attack you need to totally rethink your security model anyway. The only thing that will make or break the iPhone X's face unlock is whether it is fast and reliable. Focusing on security is really missing the point.