Security and privacy questions posed by iPhone X’s Face ID


The new top-of-the-range iPhone does away with the home button and its built-in fingerprint reader in favor of a new biometric — called Face ID — which uses a 3D scan of the user’s face for authenticating and unlocking their device. It also replaces Touch ID for Apple Pay too.

Apple suggests this is an advancement over a fingerprint reader because it’s an easier and more natural action for the user to perform — you just look at the phone and it unlocks; no need to worry if you have wet fingers and so on. Apple is working the convenience angle hard.

However offering to gate the smorgasbord of personal content that lives on a smartphone behind a face biometric inevitably raises lots of security questions.

And of course there’s already a mountain of high-pitched Twitter chatter on the topic, including speculation about whether the face of someone who is dead or sleeping, or otherwise unwilling to unlock their device in your presence, could be used to do so against their will.

This is exacerbated by existing face unlock systems on smartphones having a dire reputation.

A different facial recognition unlock feature used by Samsung has, for example, been shown to be fooled with just a photo of the face in question — making it laughably insecure in a digital era where selfies are traded publicly as the standard social communication currency.

Not to single Samsung out here. Android had a face unlock feature that could be just as easily spoofed way back in 2011. Even a subsequent version of Android Face Unlock, which required users to blink before it would unlock and give up its secrets, was shown to be conquerable with a sly bit of photoshopping.

However it’s clear that Apple has packed in both a lot more hardcore technology and a lot more thought to try to put its implementation of facial biometrics on a more solid footing.

The iPhone X’s camera is not just looking for a 2D image of a face; the sensor-packed notch at the top of the device includes a dot projector, flood illuminator and infrared camera, as well as a traditional camera lens, so it’s able to sense depth and read face-shape (including in the dark).

As we wrote yesterday, it’s essentially an Xbox Kinect miniaturized and put on the front of your phone. Ergo, Face ID would interpret a photo of a face as a flat surface — and therefore not actually a face.

Although the proof of the pudding will be in the eating, as they say.

There was a brief on-stage demo fail when an iPhone X apparently failed to identify Craig Federighi’s face, and therefore wouldn’t unlock — displaying the other potential problem here, given that a tech that’s too unyielding in opening up to its owner may be highly secure but it won’t be at all convenient.

The Apple exec’s first reaction at being unexpectedly locked out appeared to be to wipe sweat from under his eyes — suggesting the sensors may be confused by shine. We’ll have to wait and see.

Read the source article at TechCrunch.