Apple FaceID Shortcomings Reiterate Need for Multi-Factor Authentication

Only a couple of weeks have passed since Apple shipped its first iPhone X smartphone and already hackers have claimed to circumvent the device’s FaceID authentication system. Using a combination of 3D printed mask, color printouts, and a silicon nose mold, the group demonstrated that it could fake the iPhone X sensor into believing the mask was the trained user.

A lot of questions remain to be answered about how easy this experiment is to duplicate and if the hackers did this without modifying the facial features of the human when FaceID was initially set up.

The potential vulnerabilities of facial recognition systems are further being tested by consumers. Siblings and children are unlocking the family iPhone Xs and posting videos on YouTube of it not working. While these early reports may not be indicative of a systemic issue with the FaceID subsystem, it only takes a handful of bad user experiences to cause the entire market to form a negative opinion of a product, service, or brand.

Most consumer-based biometric technologies for smartphones and tablets are not considered “true” or “full” biometrics. Consumer solutions generally use fewer minutiae points (specific points on a finger or face) than live fingerprint scanners used at border control checkpoints (which is about 30), for example, and this knowing that individuals share generally about 8 similar minutiae. Consumer implementations do not check for liveness either, making the product much easier to hack. This is going to be true for other consumer biometrics, including facial recognition.

Nevertheless, it shows that FaceID should not be an iPhone X owner’s only means of authentication, rather multi-factor authentication (MFA) or continuous authentication techniques are necessary to keep access to a device from falling into the wrong hands. MFA is the approach that businesses use to address the shortcomings of passwords.

A lot of passwords can simply be guessed. Creating a strong password (containing mixed capitalization, numbers and symbols) to counter this can lead to forgetting it or causing one to write it down. Similarly, some passwords end up being shared among family members, friends or coworkers, which also creates additional vulnerabilities. Compounding these challenges, remembering strong passwords for 10’s of sites and login scenarios, is not a human strength.

Some believe that to overcome the challenges of the password, a new paradigm for authentication must be created. Here are some of the methods being considered:

Biometrics: Fingerprint scanners have proven useful for protecting access to systems. Reliability of scanning is generally good enough, with resolution of the scan continuing to increase in each generation of the sensor. The risk with biometrics is that there is only one fingerprint per person.

Gestures and Patterns: Drawing a pattern on a touch display is one of the newer methods for identifying a user. However, this approach can be compromised in many of the same ways that a password gets shared or attacked. This authentication method is more applicable for a broader range of users than a traditional password.

Facial recognition: As the name suggests, facial recognition uses a camera to match against a known database of users. Facial recognition software uses reference points to match the user, which has shown in some instances to be readily fooled by placing a photo of the user in front of the camera.

Microsoft Hello in Windows 10: Microsoft Hello uses a 3D depth-sensing camera or a fingerprint reader as a form of user authentication. By sitting in front of the Windows 10 system, the user’s face unlocks the system.

Continuous Authentication: A relatively new method is technology that repeatedly continues to authenticate a user during the session. Distinct measurements - such as the intensity of a user’s touch on a mobile device, using photos for facial recognition, and how a user swipes the display - are taken during a session. If enough deviations from the normal user behaviors are detected, some systems will attempt to re-authenticate.

Like many methods for interacting with technology, there is no single right or wrong way to overcome privacy and security beyond passwords. Some are pushing for the end goal being a universal login, though there are realistically several interim steps that must occur before this can be realized. The best approach appears to be adopting MFA. Rather than passwords going away entirely, the password or a PIN can remain as one of the authentication factors.

Using behavioral biometrics is an effective way to extend authentication during use in a continuous manner. This can use many features that are readily available on a smartphone: MEMS for gait, pace, movement, haptic feedback for strength and pattern of swiping/tapping/strokes/pressure, GPS/Wi-Fi for geolocation, etc. This relies on the development of machine learning-type solutions but added to password/code and combined biometrics (face and fingerprint), can provide an acceptable authentication platform for consumers.

Industries must provide education, alerts, and implement safeguards as life beyond the password evolves. One of the side-effects of becoming an increasingly connected world is that more of the systems, networks and human-interfacing devices that used to be isolated are now accessible. New connected environments must be designed with security built in.