While it seems as though we’ve had fingerprint sensors on our iPhones and iPads forever, Apple released Touch ID just four short years ago, forever changing our expectations for how we unlock our devices. (For more details about how fingerprint scanners work, see my article “Q&A about Fingerprint Scanning,” 10 September 2013.) Touch ID was a sneaky little innovation that improved security for everyday iPhone users with an option that was as easy to use as picking up your phone.
The real innovation with Touch ID wasn’t in adding a fingerprint reader to a smartphone — Apple was far from the first to do that — but in how Apple tied Touch ID to the iPhone’s hardware, keychain, and long passcodes. Touch ID doesn’t replace passcodes; it supplements them. In essence, your fingerprint “unlocks” your passcode, which in turn unlocks both your iPhone and the keychain that stores all your app passwords.
All this is managed and protected by special security hardware built into the Secure Enclave coprocessor that’s integrated into the A7 and later A-series chips to handle encryption and key management. Your fingerprint never leaves your device — heck, it can’t leave your device — and the fingerprint itself is never needed or used outside the Secure Enclave.
The result is that iOS users can have the security of a strong passcode with the convenience of no passcode at all. Yes, Apple does require users to enter their passcodes occasionally and under certain conditions, but overall, in day-to-day use, you don’t have to worry about entering six or more characters every time you want to unlock your iPhone to respond to a text message. The main downside of Touch ID is that it requires physical space on the front of the iPhone that could be used for screen real estate.
While it’s usually risky to comment on hypothetical Apple products, Apple recently, and undoubtedly accidentally, released the firmware for its upcoming HomePod smart speaker. Filled with references to other upcoming products and technologies, the firmware release makes it reasonably probable that Apple will release an updated iPhone that relies on facial recognition, rather than a Touch ID sensor.
Facial recognition is an entirely different kind of biometric technology that’s historically far more difficult to implement than a fingerprint reader. While fingers do get wet, dirty, or scratched, modern sensors rely on more than just the ridges and whorls, and devices like iPhones can store multiple fingerprints.
As anyone who has looked in a mirror in the morning can tell you, faces change throughout the day. We wear glasses, move into different lighting conditions, and some men don’t shave on a regular basis. Worse, in this age of selfies, there is no shortage of high-resolution photographs of our faces on the Internet, and many people have high-quality printers. Hackers recently defeated Samsung’s facial recognition system with a photo and a contact lens.
I have no idea how a potential “Face ID” might work, but I do know what I’m going to look for if Apple adds facial recognition to its iOS security arsenal. If we consider how Apple usually handles these transitions, we can make certain assumptions about what it might look like. The key is to evaluate equivalence, rather than exactness. We don’t care whether Face ID (we’ll roll with that name for now) works exactly like Touch ID — we just need it to be close enough, or even better in other ways.
Before you start panicking about a world in which someone can unlock your iPhone by holding up an iPad with a picture of you on screen (let’s be honest, that’s the first hack we’ll all try), let’s think through the problem and what to look for if Apple does indeed release Face ID.
Is Face ID as Secure as Touch ID? -- The answer to that question is more than a simple yes or no. When I look at the security of Touch ID today, I can see three aspects to consider if Face ID appears:
Does it cost as much to circumvent? Touch ID isn’t perfect — there are a variety of ways to create fake fingerprints that can fool it. The financial cost is not prohibitive for a serious attacker, but the attacks are time-consuming enough that the vast, vast majority of iPhone users don’t need to worry about them. I’m sure someone will come up with ways to fool Face ID, but if doing so requires taking photos from multiple angles, computing a 3D model, 3D printing the model, and accurately surfacing it with additional facial feature details, I’ll call that a win for Apple. It will make an awesome presentation at a hacking conference, though.
Does it have an equivalent false positive rate? In security, the “false positive rate” is the number of times the system will accept a fingerprint (or face) as being the right one when it’s the wrong one. If you let 100 people in a room try to unlock your iPhone and one stranger’s fingerprint actually works, the false positive rate is 1 percent. From what I see, Touch ID’s false positive rate is low enough to be effectively zero in real-world use. As long as Face ID is about the same, we’ll be good to go.
Does it use a similarly secure hardware/software architecture? As noted above, one of the most important aspects of Touch ID is how it ties into the Secure Enclave. I would be shocked if Apple didn’t keep this model, but you should expect changes to support the different kind of processing and the multi-purpose nature of underlying hardware such as cameras. If Apple releases Face ID, my guess is that it will use some sort of dedicated processor tied to multiple sensors so its security is at least as good as that of Touch ID.
Is Face ID as Capable as Touch ID? -- As I mentioned, the genius of Touch ID was that it enabled consumers to use a strong password with the same convenience as no password at all most of the time. This was one of the biggest differentiators between Touch ID and previous phone-based fingerprint approaches — the harmonization of the fingerprint with the passcode. In terms of ease of use, you should focus on four criteria:
Is it as fast? The first version of Touch ID was pretty fast, taking a second or less. Today’s second version is so fast that you barely notice it most of the time. Face ID has to be close enough to the speed of Touch ID that the average user won’t notice a difference. If I need to hold my iPhone steady in front of my face while a little capture box pops up with a progress bar saying “Authenticating face…”, it will be a failure. But we all know that isn’t likely to happen.
Does it work in as many different situations (at night, while walking, etc.)? Touch ID is far from perfect. I work out regularly and, awesome athlete that I am, I sweat like the evil Moist from Dr. Horrible’s Sing-Along Blog, and Touch ID doesn’t work well with sweaty fingers. Face ID doesn’t need to work in exactly the same situations, but it must work in an equivalent number of real-world situations. For example, I use Touch ID to unlock my iPhone when it’s sitting on a table to pass off to one of the kids, and I use it while lying sideways in bed with my face mushed into a pillow. Face ID will probably require me to pick the phone up and look at it. In exchange, I’ll probably be able to use it with wet hands in the kitchen. Tradeoffs are fine as long as they are insignificant, net neutral, or positive. Since the HomePod firmware indicates that the Face ID sensor may be infrared, it will likely work in the dark as well.
Is it as reliable? The key phrase here is “false negative rate.” As I noted previously, the false positive rate represents the number of times a sensor accepts the wrong biometric as being valid. On the flip side, the false negative rate is the number of times the sensor rejects the correct biometric. Even second-generation Touch ID can be fiddly at times, as in my workout example above, and some people have real problems with Touch ID working reliably. Face ID will have to handle things like changing facial hair, lighting conditions, moving, and so on. This question ties into a number of situations where Face ID works, but instead asks “Is Face ID as reliable as Touch ID within its supported scenarios?” This is one area where I could imagine some significant improvements over Touch ID.
Does it offer an equivalent set of features? My wife and I trust each other and share access to all our devices. With Touch ID, we enroll each other’s fingerprints. Touch ID also supposedly improves over time. Ideally, Face ID will work similarly, allowing multiple enrollments and improving, rather than degrading, as time and gravity take their toll on our faces.
Determining Success -- If Face ID becomes a reality, plenty of articles will focus on all the differences from Touch ID. Plenty of people will complain that it doesn’t work exactly the same. And plenty of security researchers will find ways to circumvent it. But what really matters is whether Face ID hits the same goal, which is to:
Allow a user to use a strong password with the convenience of no password at all, most of the time.
Face ID doesn’t need to be the same as Touch ID — it just needs to work reasonably equivalently in real-world use. I won’t bet on Face ID appearing in a future iPhone, but I will bet that if it does, Apple will make sure it’s just as good as Touch ID overall. In the event that it ships, I think Face ID will be as hard or harder to fool, will tie into the Secure Enclave, will be extremely fast, and will work in most of the real-world situations that have stymied previous attempts at smartphone-based facial recognition.