With the iPhone X Apple has introduced Face ID, an authentication method the company claims is more natural than touch. Instead of typing a six-digit passcode or authenticating with their fingerprint, users will simply look at their iPhone X to unlock it.
The Technology Behind Face ID
To make this possible Apple uses a complex system of multiple technologies: a dot projector, an infrared camera and flood illumination. The technology, branded as the TrueDepth camera system, captures face data by projecting and analyzing more than 30,000 invisible dots that create a depth map of the user's face, while simultaneously capturing an infrared image of the face. That data is then sent to the “Secure Enclave”, and a portion of the A11 Bionic chip's neural engine transforms the depth map and infrared image into a mathematical representation, and compares that representation to the stored facial data, as explained by Apple in a support document.
Face ID is designed to understand user facial changes – such as makeup, facial hair, hats, scarves, glasses, contact lenses and sunglasses. For significant changes, such as shaving off a full beard, Face ID confirms your identity by requiring a passcode, which is when the face data is updated.
Why Do I Need to Keep My Eyes Open for Face ID to Work?
An interesting aspect of Face ID is that users need to keep their eyes open to unlock the device. Apple doesn't explain why, but this is likely an extra layer of security to make spoofing harder. An Apple patent application for “embedded authentication systems in an electronic device” filed in 2013 and published by the U.S. Patent and Trademark Office in mid-2017 gives us a hint at how this extra security is achieved. The iPhone's infrared camera can be used to project light into the user's eye, the reflection of which is then detected by a lens or optical sensor. The sensors built into the iPhone may detect movements of the user's eyes, for example, by tracking the position and movement of a user's retina, iris, blood vessels, or any other feature of the user's eyes.
Security Concerns of Face ID
The introduction of Face ID has prompted Senator Al Franken to send a round of questions asking Apple to clarify the privacy and security safeguards it has in place for biometric data. Franken was concerned that Apple could use the face information (known as faceprints) it collects through Face ID “to benefit other sectors of its business, sell it to third parties for surveillance purposes, or receive law enforcement requests to access its facial recognition system – eventual uses that may not be contemplated by Apple customers,” he wrote. Apple says the Face ID data doesn't leave the device and is never backed up in iCloud or anywhere else. The probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 compared to 1 in 50,000 for Touch ID, according to the iPhone manufacturer.
Spoofing Your Biometrics
Along with Sen. Al Franken, future users have good reason to worry: so far, face recognition systems have been very easy to defeat. Security researchers bypassed such systems with a simple image printout, or by using a video showing the owner blinking.
In theory, spoofing Face ID will be harder due to the TrueDepth camera system that captures the 3D shape of the user's face. But it isn't impossible, and Apple is aware of that. As Marc Rogers – a security researcher at Cloudflare – puts it, the excellent user experience Apple is after forces the company to make security compromises.
Apple acknowledges the limitations of Face ID by having a passcode as a backup, which is used (instead of Face ID) when users first connect their iPhone to a computer. Secondly, iOS 11 allows users to disable Face ID or Touch ID by pressing the power button five times. That's definitely a win for the good old passcode and shows that even Apple is aware that biometrics are not ready to replace passwords and passcodes just yet.
Best Password Managers of 2019
|Editor's Choice 2019|