Apple’s iPhone has repeatedly popularized new methods to replace the password, swapping the passcode for fingerprints, and now, facial recognition. But does the iPhone X’s Face ID really offer users more security than Touch ID as Apple claims?
Apple’s AAPL, -1.04% Face ID technology works using its “TrueDepth” camera system, invisibly projecting 30,000 dots over a user’s face to create a 3D detailed mathematical model to verify their identity. The device can learn a user’s face and detect it even when its appearance and behavior changes. Users’ eyes have to be open and engaging with the device to unlock it, preventing the phone from being hacked by someone using a stolen photo. (Apple did not respond to request for comment.)
Don’t miss: How to get Apple’s new iPhone for half price
The tech giant claims the technology has a false acceptance rate (FAR) of 1 per 1 million whereas Touch ID has a 1 per 50,000 FAR, making it about 20 times more difficult to spoof than Touch ID. The technology can accurately determine if an adversary is trying to use a picture or video of the victim, according to Bojan Simic, chief technology officer of social media analytics company HyPR Brands, due to its “liveness” detection which monitors facial movements to determine a person’s identity. “It looks like Apple has introduced a very effective and easy to use algorithm into the market,” he said.
Still, other experts are not convinced. “This is a high-risk move for Apple, especially in the wake of the Equifax breach,” Matt Schulz, the senior industry analyst at CreditCards.com, said. “That debacle has put data security front and center in people’s minds. If Apple’s facial recognition tool proves to be significantly flawed, it could really damage Apple’s hopes for Apple Pay expansion. People simply won’t use a payments tool if they don’t think it is safe.”
The security of facial recognition has been questioned in the past, largely due to the ability of others to scan someone’s face without their permission. In theory, this would make it easier for law enforcement to open a phone, as a face scan would not violate fifth amendment rights.
It can also be more difficult than other biometrics to capture a face image, according to a study from information security company the SANS Institute, and less user-friendly for people with darker skin tones. “Select Hispanic, black and Asian individuals can be more difficult to enroll and verify in some facial-scan systems because acquisition devices are not always optimized to acquire darker faces,” the SANS institute wrote.
Apple reports to have overcome weaknesses in facial recognition in development, “but it remains to be seen how Face ID compares to Touch ID in practice for users,” Jason Chaikin, president of fingerprint sensor and biometric authentication company Vkansee — who obviously has a vested interest in fingerprint sensors — says facial recognition security comes down to a variety of factors, including resolution of image capture, brightness, 3D details. “Fingerprint is traditionally much more secure than face, and iris is traditionally even more secure than fingerprint,” he said.
In Apple’s case, it’s more likely users will be frustrated their phone is experiencing a false negative — locking them out of the device — than a false positive, mistaking someone else for them, Frances Zelazny, vice president of global cybersecurity startup BioCatch. One security method alone will always have its pros and cons, he added. Because of that, he suggests two- or three-factor authentication, such as fingerprint scans and traditional number passcodes.