Face ID’s Innovation: Continuous Authentication
Every year, as I travel around the security conference circuit, the hallway conversations always turn to the interesting things attendees have seen lately. To be honest, I can’t remember the last time I was excited about a legitimately cool security technology. I see plenty of security evolution, but not much revolution.
That is, until my iPhone X arrived on launch day, and I got to try Face ID in real-world usage. Put simply, Face ID is the most compelling advancement in security I have seen in a very long time. It’s game-changing not merely due to the raw technology, but also because of Apple’s design and implementation.
First things first — Face ID nails nearly every criterion I came up with to evaluate it in “Preparing for a Possible Apple “Face ID” Technology” (18 August 2017). The false positive rate, unless you happen to have an identical twin, is 1 in 1,000,000 compared to 1 in 50,000. Watch enough videos of journalists trying to fool Face ID with masks and it becomes clear that Face ID is more expensive to circumvent than Touch ID. We haven’t seen a public vulnerability yet, but I always assume one will be found eventually. Although Apple sometimes has a weak spot in underestimating bad actors, it did a good job with Face ID.
In my pre-release article, I wrote: “Face ID doesn’t need to be the same as Touch ID — it just needs to work reasonably equivalently in real-world use.” In my personal experience, and for every user I’ve talked with and in every article I’ve read, Face ID’s core usability is equal to or greater than that of Touch ID.
For example, Face ID doesn’t work as well at any angle from which you could touch your iPhone, but it works better than Touch ID when your hands are wet. I’ve tested it in all sorts of lighting conditions and haven’t found one that trips it up yet. The only downside is that Face ID lets you register just one face — my wife and I have become accustomed to being able to use Touch ID on each other’s devices.
I believe Face ID is slower at actual recognition than Touch ID, but it’s nearly impossible to notice due to the implementation. In the time it would take to move your finger to a Touch ID sensor, Face ID could have already unlocked your iPhone X.
That’s the real Face ID revolution. Since you’re almost always looking at your iPhone while you’re using it, Face ID enables what I call “continuous authentication.”
Continuous Authentication — We’re used to authentication events being discrete — you do something that requires proving that you’re the person performing the action, and the iPhone asks you to authenticate.
In the past, you had to either unlock your iPhone once and allow access to everything (well, everything that didn’t require a separate password) or put your finger on the Touch ID sensor whenever an app wanted you to authenticate. Face ID is different.
With Face ID, since you’re usually looking at your phone when an authentication event occurs, the iPhone X can scan your face as soon as you initiate the task that needs authentication, so it doesn’t need to ask you to do anything additional. And the iPhone X does this constantly. Here are examples I’ve discovered so far:
- Notifications, by default, don’t show details on the Lock screen until you look at the iPhone X. This is my favorite new feature since it improves security with little usability impact. (However, if you prefer being able to read notifications when your iPhone is sitting on the table in front of you, change Settings > Notifications > Show Previews to Always or Never.)
- I always disable Control Center on the Lock screen for security reasons, but now just looking at my iPhone X unlocks it so I can use Control Center. You can disable lots of other features on the Lock screen now too — look under Allow Access When Locked in Settings > Face ID & Passcode.
- Safari now optionally uses Face ID before filling in passwords on Web sites. Previously, even with Touch ID, they filled automatically if the iPhone was unlocked. That’s enabled by default in Settings > Face ID & Passcode. Many third-party apps, such as 1Password, can also use Face ID for authentication.
- Apple Pay and the App Store now authenticate with Face ID without prompting you for separate authentication actions.
- Apps can authenticate as you open them. This is where I believe Face ID is a bit slower than Touch ID, but it still feels faster because I don’t need to touch the Home button.
In short, Face ID allows your iPhone X to authenticate you under nearly every circumstance you need without requiring any action other than looking at the screen, which you’ll do anyway.
We’re just scratching the surface of what this first generation of Face ID makes possible. Imagine the use cases as Face ID gains features like multiple user support and as Apple starts embedding it in other devices. As an example, one of the most significant problems in healthcare security is the need for users to authenticate quickly to shared workstations in clinical environments. I could see a future version of Face ID embedded in an iMac solving that problem, changing an entire industry, and selling a lot of iMacs!
I’ve previously said that Touch ID lets you use a strong password with the convenience of no password at all. Face ID exceeds that mark, and its introduction of continuous authentication may be the ultimate expression of effortless security.
[A previous version of this article aimed at security professionals appeared on my blog at Securosis.]
On using Apple Pay, I can see the utility in authenticating with Face ID, however I also see it could be a problem. As an example, I play a few games on my iPad. Every one I've played tries to "trick" me into buying stuff by presenting a dialog with some information to read or the result of some action, with an Ok button to tap when I've read it. A second or so after presenting the dialog, the game overlays the information dialog with a "special offer" dialog, with a "Buy Now" button that, in what I'm *sure* is *purely a coincidence* :-), overlays the Ok button. About once a week (and I don't play the games very often), I end up tapping Buy. With Touch ID it isn't a big problem, I just make sure I don't touch the home button while I tap Cancel. However, with "Continuous Authentication", it seems like I'll have to quickly look away or I'll end up authenticating a purchase because I happen to be looking at the device. Does Face ID do anything to prevent that situation?
I have an iPhone X. When I installed a new (free) app from the App Store, I saw a prompt to double tap on the upper right portion of the screen next to a white bar along the edge. It turned out that it was a prompt to double tap the side button in order prompt Face ID to authenticate me and let me get the app. I believe that is the process that will be used for ini-app purchases. So, you will still need to take a voluntary action to confirm them.
Ok, that's good to know, thanks.
I haven't laid hands on an iPhone X yet so I don't completely understand your description. But I did want to say that if you feel the app is trying to take advantage of you, you should report it to Apple. Even if the behaviour isn't against the rules, it might help shape a refinement to the rules.
Don't assume Apple sees the same behaviour in testing that you do via the App Store and was accepting of it. I once accidentally shipped an app that ran on App Review devices but crashed within a split second in the real world due to a bad boolean expression in startup/debug code. Highly embarrassing for me. But Apple didn't catch that crash, which means to me they might not catch an app misbehaving on purpose.
On "Touch ID lets you use a strong password with the convenience of no password at all", that's what I thought about Touch ID too, so when I set up my iPad Air I initially used a long, complex, hard to type (particularly on an iPad keyboard) password. Unfortunately, I'm asked every couple of days to enter my password to enable Touch ID, so I ended up shortening and simplifying my password because I have to type it so often. Certainly not as often as on my Touch ID-less iPhone, but more than I would have hoped. Does Face ID do the same thing, periodically requiring the password to enable Face ID?
Yes, you'll need to enter the passcode every so often, just as with Touch ID.
I believe that Fave ID will revert to passcode if you do not authenticate for 2 days.
My wife and I use each other's iPhone. Will we still be able to with Face ID? Can we input 2 Face IDs just like two fingerprints?
The article explicitly says you can't do that.
"The only downside is that Face ID lets you register just one face"
Sounds like a ploy to prevent iPhone users from sharing their phones. By not allowing such sharing, each user will be forced to buy their own iPhone. Ka-ching! More excess revenue for Apple!
No offense, Dennis, but that's ridiculous. The ability to add multiple fingers to Touch ID merely provides faster access to a spouse's iPhone, and any couple that wishes to continue to access each other's iPhones in a Face ID scenario just shares the underlying passcode.
iOS devices have never been designed to be shared by multiple people, unlike Macs.
…neural nets, dude. That's just not how they work. :)
Nope, you'll have to fall back on using your wife's passcode, and she'll have to use yours.
Quote: That’s the real Face ID revolution. Since you’re almost always looking at your phone while you’re using it, Face ID enables what I call “continuous authentication.”
This is especially great if you need to do anything with your phone while operating a motor vehicle.
Quote: Only one face.
That is why I like touch ID - I can hand my iPhone to my s.o. and it will be usable. This is especially important if the iPhone is used for communication, not entertainment.
As much as I agree that multiple finger support in Touch ID was great for using a spouse's phone, having to type the passcode isn't a great hardship in most cases. We can hope that Apple adds support for a second person in the future.
An apparent side effect of that is if the two people are close to a match already, then the entering of the passcode causes the Face ID tech to "learn" from this latest appearance.
This only happens if the second face is sufficiently similar to the first to get a "close but no cigar" evaluation. The passcode entry causes it to assume it actually is the owner but that the face has changed a bit (as they do).
The end result may be that either person can unlock the phone with Face ID. In some cases this is a good thing, in others not.
This is a scenario that concerns me. But I think if it does something stupid, Apple's likely to correct it.
You do make it sound like a very attractive feature.
I have one issue that sounds a bit odd to me so probably I just didn't get the details right. It appears you don't just turn on the iPhone X and look at it so FaceID let's you enter. Instead you look at it which unlocks the tiny lock icon, and then you have to swipe up to actually get to the home screen. Is there really no way to set it up so that when you turn it on and look at it, FaceID automatically sends you to the home screen?
You do have to swipe up, but that action becomes second nature extremely quickly, since you have to use it to get back to the Home screen from within any app.
If you didn't have to do the swipe up on the Lock screen, Face ID probably wouldn't seem so fast, since you'd be staring at the lock, waiting for it to unlock. This way it's unlocked before you've finished swiping up much of the time.
So there is really no user setting to tell FaceID to just auto-unlock without swiping? I was under the impression that I've seen videos of people looking at their iPhone X to get it to unlock and then being shown the home screen right away. Older iPhones have a setting where resting your finger on TouchID also directly sends you to the home screen (or whatever app was last running) without an extra tap or swipe.
You do have to swipe, but you don't have to wait for the Face ID to complete to do so. So swiping immediately makes it unlock faster.
The thing that the user can control is whether or not visible user attention is required.
I'm being detained by a law enforcement officer of some sort. he holds my phone in front of me and says "Is this your phone?" I look at it. Is the phone now on, and in his possession, subject to his (rightfully or wrongfully) having access to its contents, such as email?
If so, I think it's very dangerous and will lead to overreaching by law enforcement.
If you're that paranoid about law enforcement, you should probably just turn off Face ID and rely on a good passcode.
Tom's scenario doesn't strike me as paranoid. I would imagine a LE officer asking somebody if a certain phone is theirs is actually a quite routine thing.
If in such a routine situation the officer is allowed to then start going through the phone simply because FaceID unlocked it, I would easily understand why a citizen should be concerned.
If you're concerned, then turn off FaceID and rely on a good passcode.
David, I actually turn off my fingerprint recognition on my iPad and iPhone whenever I travel by air or go out of the country. I have nothing to hide, but I respect my privacy and simply don't want others to know what I'm doing. Personally, I believe that constitutional rights should be enforced and recognized.
I don't do the same when I'm just moving around in the US. If I get an iPhone X, should I turn off FaceID? That's all I'm asking. What do I have to do to protect my privacy?
There's a lot of theory that can go by the wayside when you're at a border. See Geoff Duncan's article on the topic:
Tom A --
Well, forgive me for being abrupt, but the "all I'm asking" question you pose has been answered twice: yes, if you're concerned with that scenario, then you should turn off FaceID and rely on a passcode. Note that that was true with TouchID -- the courts have held that forced usage of a fingerprint is *not* a fifth amendment violation, but forced entry of a passcode is.
So you should be turning off TouchID full time already.
Understand what is happening.
As the Apple technology is copied/adapted into Android and becomes ubiquitous, those who have Face ID (which obviously will be essentially everyone) have given carte blanche to anyone (not just law enforcement, but ANYONE) who can gain physical control over the iPhone (or eventually, iPad).
If that person who has seized it can then pick up the device, point it at the owner and thereby open the device, then the owner has no privacy whatsoever. That lack of privacy is going to become universal.
Information on the iPhone/iPad could be deleted, or false and incriminating information could be added.
In a worst case scenario, suppose someone (a spurned lover? whomever) got control over the iPhone and put child porn on it. The photos could be hidden in a file and you know nothing about it until law enforcement receives at tip, and you're in trouble. Yes, that worries me, and yes, that means that I won't enable FaceID.
You can argue that the same thing can happen with fingerprint ID, and I would agree with you. There, at least, though, I have the protection that after "X" number of unsuccessful tries, the info on my device is wiped.
I have not seen any discussion of this.
The technology is wonderful. I'd love to use it, but on a cost/benefit analysis, you're right. I'll stick with a password.
Others may (and will) disagree, but, to steal a phrase from an old professor, "I suppose that's why they make more than one flavor of ice cream."
Sure -- but you're acting like this is newly dangerous, and it's not (the info wipe with TouchID isn't going to help if they have your finger to press against the phone, the equivalent of your scenario). So this has been the situation since the start of TouchID.
Oh, and FaceID has the X unsuccessful attempts and you're locked out as well.
Remember that Face ID works only if your eyes are open, which might prevent some unwanted unlockings and increment the counter of unsuccessful attempts.
Seems to me that if you're that concerned about possible takeovers of your iPhone, you should get a standard dumb phone instead. A passcode won't protect the iPhone from someone who threatens you with bodily harm if you refuse to unlock. It might not be legal, but it will be effective.
Tom, your points in my opinion are absolutely valid for anyone who cares about privacy - the implementation of Face ID is very similar to touchID. Below it’s mentioned that you can enable SOS mode to disable FaceID by clicking side button 5 times, however that initiates an SOS call and by default makes a loud noise and countdown on the phone, and is not necessary.
All that’s required to disable FaceID access is to press the side button and either volume button at the same time (just reach into your pocket and discretely squeeze your phone). After about a half second, you’ll feel a unique vibration from the phone, and FaceID has been disabled.
Also similar to touchID, if the phone is restarted, or hasn’t been unlocked in the last (24?) hours, or the incorrect face has looked at it a few times, FaceID automatically gets disabled and it requires your passcode.
It’s still possible to erase your phone after 10 failed passcode attempts if you chose. Hope this sheds some more light on it!
Long press power button and one of the volume buttons without looking at the phone. This will open the emergency menu.
After this, "your passcode is required to enable Face ID" ;)
But that’s not the same problem with TouchID. So with FaceID you lose security AND convenience.
Isn't there a 5-click feature or something that disables the face id?
Yes. Pressing the side button five times will invoke SOS mode and disable Face ID until the passcode is entered again.
Not five times on the X, just hold the buttons on each side until there's a vibration acknowledgement.
Steve, I'm not paranoid, I'm just a law professor. As such, I worry about (wrong) things that might happen.
FaceID, by default, requires you to pay attention to the iPhone; ie actually look at it. Simply close your eyes, or don't look at the screen and FaceID will not unlock the iPhone. You can disable that but it requires extra steps in settings.
They've implemented a simple lockout for this situation in iOS 11. Rapidly press the side button five times and the phone reverts to passcode mode. This works on current phones with TouchID as well, which has some of the same legal vulnerabilities.
What happens if the user's face is disfigured in a horrible accident and they need to call the emergency services? Will they always be able to do this, even with the most stringent FaceID configuration?
It would make no difference, since if Face ID doesn't work, you can always enter the passcode. And pressing the side button five times will invoke SOS mode to call emergency services without any authentication at all.
Continuous authentication is exactly why I don’t like FaceID. It’s a passive authentication method, whereas TouchID is an active one. So overall I believe FaceID is less secure than TouchID.
I think you're correct.
> The false positive rate, unless you happen to have an identical twin, ...
Tech Insider says:
"We tried tricking Face ID with twins. But Face ID wasn't fooled."
Joanna Stern showed it being tricked by triplets in the video above. Of course, there's no real way to know if either one was faked, or if the testing procedures were rigorous in either case, or even how well trained Face ID was before the test.
But even Apple has admitted that Face ID can be fooled by identical twins — it's not a stretch to say it can be.
yes, there's also a video of a group unlocking the phone with a 3D printed mask created from careful mapping of the face. However, we don't know if it's legitimate. They could have trained the phone on that mask. It might even have been accidental.
When Face ID rejects a face, but only by a narrow margin, and then the passcode is entered, Face ID takes another measurement and uses that to augment its data. So in preparing that video it could be that the mask failed many times, but after each time they entered the passcode. Eventually that mask would become acceptable.
If so then obviously that is not a security risk at all.
“In short, Face ID allows your iPhone X to authenticate you under nearly every circumstance you need without requiring any action other than looking at the screen, which you’ll do anyway.”
…provided you’re a sighted user. The blind users I’ve seen (admittedly not very many) hold the phone to their ear.
It would be interesting to know how FaceID does work for a range of users who don’t look at their phone to use it.
There is already an option to just scan the face to unlock WITHOUT requiring the users eyes to be open and looking at the phone. It is disabled by default to require looking, but is simple and easy to turn off. So a blind person could also use FaceID as well.
Great article. Just curious about why you disable Control Center from lock screen. Is it because of access to disable Wifi/cellular? What's the security concern?
It doesn't actually have to be a security concern, it could just be a concern about someone having access to your phone's features. Using Control Center someone could turn on the flashlight to run your battery down, or set a timer to go off while you're in a meeting, or take an inappropriate picture using your camera.