Apple’s Cautious Use of Face ID
Face ID may indeed be more accurate than Touch ID, but Apple isn’t willing to say it’s perfect. Like many biometric technologies, it can suffer an “evil twin” attack.
Apple’s upcoming iphone X will ditch its fingerprint sensor in favor of a multicamera system, but it still expects some users to opt for a PIN code. In eliminating the fingerprint sensor to accommodate an edge-to- edge display, Apple had to redesign a lot of the ways its smartphone handles common interactions, especially payments. And while the company touted the strength of its new Face ID system, it came with a few words of caution.
“If you happen to have an evil twin, you really need to protect your sensitive data with a passcode,” warned Phil Schiller, Apple’s senior vice president of worldwide marketing, in a presentation announcing the company’s newest smartphones.
When picked up by a stranger, that stranger has a one in a million chance of being able to trick the camera — a huge improvement from the one in 50,000 chance with Touch ID, which Schiller described as the “gold standard” of biometric authentication. The odds get lower when people such as family members share traits with the phone’s owner, but it has protections against being unlocked by a sleeping user’s face or a photo of the user.
“Face ID also works with Apple Pay,” Schiller said. “You look at iphone X to authenticate and hold it near the payment terminal to pay.”
Third-party financial and security apps like Mint, 1Password and E-trade also support Face ID authentication, Schiller said. The iphone 8, announced alongside the iphone X, still uses Touch ID instead of Face ID.
Despite Apple’s advances, the company has never felt confident enough to totally remove PIN authentication. When Touch ID launched, Apple even saw fit to strengthen its PIN security, requiring a six- digit PIN instead of the four- digit PIN it supported on previous iphones. That change made it far less likely for a stranger to guess the user’s PIN — one in a million compared to one in 10,000, Apple said at the time.
Schiller’s warning is likely in response to publicity surrounding attempts to defeat biometric authentication. In May, a BBC reporter and his non-identical twin brother were able to fool HSBC’S voice biometrics phone banking system. Such efforts are worrying for companies that want to advance biometric authentication, even if they are unlikely to apply to most consumers.
Apple isn’t the first to support facial biometrics for smartphone authentication and payments. Samsung introduced a similar feature in its ill-fated Note 7 smartphone last year, which had an iris scanner built in. The feature survived into its Note 8 device.
Phil Schiller, SVP of worldwide marketing at Apple, explains the iphone X’s facial recognition system during a presentation on Tuesday, Sept. 12.