How secure is Apple's Face ID?

As a kid, I was enthralled by science fiction films like 2001: A Space Odyssey, The Fifth Element, and Minority Report, hoping that the wonderful technology shown in these films — facial recognition, artificial intelligence, gesture controls, and flying cars — would one day become a reality. Today, we have access to most of these technologies, with the exception of flying automobiles, owing to the likes of Apple.

One of these emerging technologies is facial recognition. Face ID, Apple's replacement for Touch ID's fingerprint sensor, has been available to consumers since the release of the iPhone X. However, how secure is Face ID when we compare it to Touch ID, despite how nice, convenient, and futuristic it seems? What additional security or privacy concerns does it raise?

It's important to keep two things in mind while evaluating the security and effectiveness of various forms of authentication, including biometrics:

  • An attacker can guess, duplicate, steal or fake the authentication factor with relative ease;
  • It is not as secure as two-factor authentication!

And here’s why…

The inner workings of Face ID

Facial-recognition systems have always been weak authentication points because they were either simple to fool or highly sensitive to ambient conditions.

In addition to detecting movements in 2D video, Face ID uses a method called ‘structured light’ to map out 3D scenes. Taking this further, "TrueDepth" uses a structured IR light (30,000 dots) to create a 3D representation of your face by measuring the depth of various spots.

Now, this increases the identification accuracy and safety of Face ID dramatically. An old-fashioned photo or video will not mislead a 3D facial scanner, unlike in the past.

For Face ID to work, Apple advises you to stare straight into the phone’s camera. This means that the system is also looking for any movement of the eye or the pupil. The skin and texture cues seen in certain facial-recognition algorithms can also help increase recognition accuracy. But, this is not how Face ID works.

There is no such thing as impenetrable technology. When researchers used publicly available photos and the technology of photogrammetry, they were able to generate 3D representations of a person's face that were quite realistic (specifically, stereophotogrammetry). We shouldn't be surprised if researchers and attackers uncover additional ways to fool Apple's Face ID mechanism in the future.

In spite of all the Face ID joke memes and the botched log-in at Apple's launch event, I feel that Face ID has been built quite effectively. This facial-recognition system appears to be more secure than many others because of its underlying technology, I believe. Even a 3D-printed face isn't enough to pose a threat, you’d need to put in a tremendous amount of work to do so.

A digital copy of your face

The digital form of an authentication factor is a second security risk for authentication systems. To put it another way, can an attacker obtain a digital replica of your login credentials and log in as you?

As far as the numbers are concerned, Apple appears to have done an excellent job of protecting this information on paper. In Apple's words, the model of your face is never saved outside of your iPhone X. No network or cloud storage is used for this data. On an iPhone, a "secure enclave" is where the Face ID data is saved, much like how your Touch ID fingerprints are stored.

Security and cryptography operations are handled by a distinct processor in Apple's newest SOC processors, the secure enclave processor (SEP). This processor is separate from the main processor and runs on its own operating system.

It is possible to store a digital key (such as a Face ID model) in your phone's SEP, but the main CPU does not view or manage it. Only the "outcomes" of the key's activities are received. Your face isn't shown to the operating system; it just receives a "matched" or "not matched" response from an encrypted area of your device. Simply put, Apple has created a method that makes it extremely difficult for attackers to get your Face ID data.

Is it enough?

Researchers and hackers will eventually find a way to get around Face ID's security measures. When it comes down to it, no one form of verification can ever be completely secure. We can use something we already have (passwords) or something we know (tokens or certificates) to authenticate (biometrics). The concern is that these tokens may be stolen, guessed, or replicated in a variety of ways.

Biometrics, such as Touch ID and Face ID, have grown increasingly popular since they are considerably easier to use than passwords and provide a reasonable level of protection. A lengthy series of random characters and numbers is simply too difficult for the ordinary human to recall.

But we're falling into the same trap, as well. All authentication methods have flaws, including biometrics. We will one day learn that biometrics like Face ID are no better than passwords.

That's why multifactor authentication is the only option that is genuinely safe. We need to combine two or more parameters instead of using them on their own. Someone could definitely make a convincing clone of your face with enough time and effort, but what if your phone or bank account demanded that you log in with both your face and your password? That would make it a million times more difficult to decipher.

It's time to stop arguing over which authentication method is more secure: Face ID vs. Touch ID; certificates vs. passwords; or a combination of both. Face ID is a solid piece of hardware, but it's vulnerable to hacking if you don't use it in conjunction with anything else.