The upcoming iPhone 8, or iPhone X, is bringing some major changes to Apple’s flagship device, the biggest of which is the removal of the home button. This move allows for increased real estate on the device for the screen, but it may eliminate one of the iPhone’s most popular features – Touch ID. For those of us in the biometrics community, this move raises a few questions, and looking at the functionality of the company’s new approach to mobile biometrics, Face ID, the main question is “What is Apple thinking?”
While the thought of taking a selfie to sign into your phone may seem fun and easy, there’s actually a lot more going on behind the scenes. We need to consider both the usability and security ramifications of this change – especially in a world where hacks on enterprises and individuals alike are increasing in both frequency and severity.
Face vs. Fingerprint
Facial recognition is a very different biometric modality than fingerprint. Fingerprinting captures very well-defined data – fingerprint minutiae is universal and immutable. This makes it reliable even in adverse conditions and extremely unique. Our faces, on the other hand, change over time, or even day to day. Growing a beard or wearing heavy makeup can make facial recognition fail, and in many cases, it is considered easier to “spoof,” making it far less secure than fingerprint, and more likely to fail even in legitimate uses.
While the selfie has taken off in popularity, it is much less convenient for biometric authentication than fingerprints. For starters, touching your finger to a sensor on your phone is much faster and more discreet than raising your phone to take a photo. Furthermore, a fingerprint isn’t affected by adverse lighting conditions or the changes that occur to our faces due to the factors I mentioned previously.
Of course, there’s also the issue of security. Face systems have been spoofed with ease by photographs and masks. While Apple’s past technology purchases and patent filings indicate it is taking serious steps to tackle this issue with infrared cameras for depth tracking and the possible ability to even “see through” masks and the like, it could remain a major challenge.
May the Best Biometric Win
In a contest between face and fingerprint for biometric security, I would pick fingerprint every time. Face may seem novel, but it isn’t more secure and it’s more of a pain to use, especially in many of the use cases where people feel comfortable using Touch ID, such as when authenticating a mobile payment in a store. If Apple is truly set on eliminating the home button and is unable to perfect an under-screen fingerprint sensor, perhaps they should explore contactless fingerprinting options in the meantime, rather than negatively affecting security with a biometric that’s performance simply doesn’t meet the needs of modern consumers.
While we have been critical of the use of face over fingerprint, I am impressed by the technology Apple unveiled on September 12. The use of an infrared camera, as well as a dot projector to build an accurate 3D model of the face should help dramatically reduce the threat of an iPhoneX being spoofed by a mask, photo, or makeup.
That said, the complete removal of Touch ID may still be a mistake for Apple. Not based on security, but user adoption and comfort. iPhone owners have been using Touch ID since 2013, and the switch to face may set some of them back to how they felt then, faced with a new authentication technology that might seem foreign, but could soon be the norm. It will be interesting to see how the iPhone X sells, and how the technology actually works, when the phone hits the market in November.