iPhone X Face ID: Is It Truly Safer? Experts Weigh In

The arrival of the iPhone X also brings a new form of authentication that Apple is hyping as its most secure yet. Those who make the leap to the iPhone X will be able to unlock their device using the facial recognition feature Face ID.

Apple has positioned the new biometric check as a vast improvement over previous forms of authentication. On its website the company claims “Your face is your secure password,” and during the September event unveiling the iPhone X, Apple said Face ID was a huge step up from the company’s prior biometric feature, the Touch ID fingerprint sensor.

If Face ID is everything Apple says it is, should users ditch passwords and passcodes in favor of just their face? Almost certainly not, but if done correctly, the biometric check could add another layer of hard-to-crack security to protect users.

The first problem Apple might run into with Face ID is consumer trust. “As of now, 40 percent of consumers think that biometrics are too risky and unknown for them to adopt,” behavioral biometrics expert and CEO of authentication company Plurilock Ian Paterson told International Business Times.

According to Paterson, there is still a knowledge gap surrounding biometrics that make people nervous, and a general belief that the old system of authentication isn’t broke, so why fix it? “Consumers have a misconception that passwords are secure,” Paterson said, but noted “there’s risk in the way consumers log into their devices using traditional authentication.”

Facial recognition isn’t new—nor are biometric authentication tools—but Face ID is, and consumers aren’t the only ones with some skepticism about the security check. Hackers are too, but it has the inverse effect: they are excited to get their hands on the feature.

Speaking to BGR, CloudFlare’s head of information security Marc Rogers said, “For hackers like me, it’s game on.” For the crowd that likes to break things and take features like Face ID to its limit, the introduction of the new feature provides plenty of motivation to see just how much stress can be put on the biometric check before it breaks.

Touch ID underwent similar testing from security experts, whether they are white hat researchers or black hat hackers. For the most part, Apple’s original biometric authentication tool passed the tests it was given—with a few exceptions of some impressively elaborate attacks that were able to trick the sensor.

Face ID will get its run through the gauntlet, which will inevitably produce the possibility of a vulnerability in the security check. A recent survey of 129 hackers conducted by security firm Bitglass found facial recognition was considered the second least effective security tool behind standard passwords (facial recognition was also rated as the worst tool six times more often than fingerprint authentication) so hackers will be happy to take a crack at Apple’s attempt at the authentication method and see if the company can instill some trust in the tool.

That trust will likely come down to implementation, which will require Face ID to both earn consumer trust and win the endorsement of security experts who may be dubious about Apple’s latest innovation.

The secret to the consumer side of the equation is that Apple doesn’t necessarily need to pass the latter test to satisfy the former. While security is important to people—and is increasingly so in the age of massive breaches—so is convenience.

“When it comes to consumers actually using the feature, privacy may not be the stumbling block to the adoption of advanced biometrics, like Face ID, but rather how convenient the tool is to use,” Paterson said, noting there are user experience challenges that “may be harder to overcome” than other challenges.

Convenience is one of the primarily reasons Touch ID proved so successful for Apple. Not only was it an added layer of security, it also fit naturally within the flow of how people interacted with their phones.

Face ID may not benefit from the same type of intrinsic design. While the average person looks at their phone 60 to 80 times per day, those are often quick glances. The initial demo for the feature stumbled out of the blocks, failing to unlock the device upon first use during Apple’s unveiling event—though it worked consistently after that. If Face ID has the same stumble for a person’s everyday use, they may choose to abandon the feature.

If it succeeds, it could be another major win for security of consumers. "If this is going to smoothly authenticate the user, it means the device is going to be kept secure but the user also isn't going to get frustrated by security so you're going to keep using security features," Jonathan Frankle, a PhD candidate at MIT’s Internet Policy Research Initiative, told IBT.

Andre Durand, CEO of Ping Identity, noted that Face ID also won’t be as integrated into the system as Touch ID—at least not yet. “They’ve added face-based unlock technology, but it requires users to put the phone to their face in order to unlock it and it doesn’t authenticate them to any apps on the device,” he said, which could prove an inconvenience for apps with extra layers of security like financial tools.

Facial recognition also has its own user experience issues that Apple will overcome, chief among them the technology’s inability to accurately identify a user.

These challenges have a number of origins, from the camera used to perform the scan to different lighting situations that may throw the system for a loop to a systematic problem with how the biometric algorithm is taught to read faces. The result is that many facial recognition systems are consistently less accurate when trying to identify women, African Americans, and young people.

Apple will attempt to combat those challenges with its revamped camera that “projects and analyzes more than 30,000 invisible dots to create a precise depth map of your face,” but only widespread use of the feature will prove how successful the company is at combating the shortcomings of the biometric method.

Users of Face ID may also have concerns about privacy. Should consumers trust Apple with an in-depth scan of their face? Will the company store that information securely? MIT’s Frankle said he couldn’t see many risks associated with Face ID when it comes to privacy.

"I'm struggling to see a privacy-invasive use of this technology. My conclusion is this is a net benefit for privacy," he said.

George Avetisov, CEO of biometric security firm HYPR, concurred with that assessment, noting “the real value-add for users is that both systems store biometric data on the device, rather than on a centralized server that could be targeted by hackers.” Avetisov theorized adoption of a decentralized biometric security tool could go a long way to prevent hacks and breaches.

As for the security side of the equation, Face ID may well prove to be another secure method of authentication—but users should be tepid in accepting it as a sort of fool-proof system for securing their device.

At its September event for the iPhone X, Apple claimed the likelihood of a stranger being able to unlock the device through Face ID is about one in one million, compared to one in 50,000 for Touch ID. Those figures are misleading.

The chance a totally random stranger will be able to unlock someone else’s device through facial recognition may well be one in one million, but such an attack is unlikely to be totally random. Attackers will attempt a number of methods to try to gain access to a person’s device and will search for novel ways to trick the facial recognition feature.

Previous forms of facial recognition have proven to be vulnerable to spoofing attacks, including using a photo or video of someone to unlock a device. Others have raised concerns about the device identifying a person while they are sleeping and providing access to an unauthorized user.

Avetisov was not particularly concerned about those issues with Face ID. “Apple is off to a good start with a great user interface that appears to be engineered with security in mind,” he said.

“When compared to fingerprint sensors, facial recognition can work on any device. The camera on the phones we use today is much more reliable than the fingerprint sensors. The Face ID liveness detection promises to hamper concerns that hackers could use photos or video of a person to log into their device with,” Avetisov explained.

If a flaw were to arise in Face ID, that is when security issues would truly begin. Frankle noted that thus far it doesn’t appear Apple’s facial recognition would fall victim to standard spoofing attacks but said, "Let's say there is a bug in facial recognition software. You can't change your face the way you change your password.”

He called biometrics just one piece of the authentication puzzle—one that has been “a long-standing, unsolved problem in computer science”—and said “Apple has gotten us no closer to solving it," though it has added a new tool the arsenal of those hoping to secure their devices.

Durand of Ping Identity theorized Face ID could be the jumping off point for additional security protocols that could use sensors within the device to continuously identify the user and not require them to authenticate themselves with every use.

“This is the beginning of much bigger things to come. Innovations will continue as embedded chips become more powerful for processing the millions of data sets that sensors will be generating on handheld and other devices,” he said.

Such future methods will use a number of ways to authenticate users with minimal input, but users should take a cue from that process and recognize Face ID as just one part of their overall security. It is more secure than a password, but Face ID plus a password is more secure than just Face ID. Users should treat the biometric method as just another layer of security, not an excuse to abandon others.