back to article Sure, Face ID is neat, but it cannot replace a good old fashioned passcode

Apple's iPhone X is one of several technologies bringing facial biometrics into the mainstream. It seems to have everything bar a heat scanner; the TrueDepth camera projects an impressive-sounding 30,000 infrared dots on to your phiz, scanning every blackhead in minute 3D detail. The company claims some impressive figures, and …

  1. Dave 126 Silver badge

    Hence all the scenarios in which an iPhone will fall back on demanding a passcode by design. And Face ID and Touch ID are both optional, and both can be disabled quickly without taking the phone out if your pocket.

    For convenience, I use a X character long passcode on my Nexus phone rather than a 2x or 10x passcode. A balance between security and convenience is inevitable at this stage.

    Apparently pattern unlock can be easily ascertained by an observant attacker on the other side of a room.

    Recent news stories have given us the impression that the FBI find it a major ball ache to access a locked iPhone... I don't know how competing handsets compare. I suspect that if I were a drug lord, I'd be looking at OpSec more holistically, especially with regard to human tendancies to get lazy over time.

    1. Len

      True. I see Face ID as a replacement for Touch ID, not the passcode. And neither Face ID or Touch ID are designed as a replacement for the passcode.

      Apple already required the use of the passcode for some of the more important identification tasks such as on first boot and changing the firmware. Since US law enforcement and border staff have become more aggressive they have only made the passcode more important.

      I think the main outcome of Touch ID has been that more people have secured their iPhone than previously because of the added convenience. My mother used to have 0000 as her passcode until she got Touch ID because she found four unique digits too cumbersome. Since then Apple has moved to a six digit passcode which she would have found even more of an obstacle for everyday use. Now she has a proper six digit passcode she only occasionally has to enter. I call this a win for security.

      1. roytrubshaw
        Big Brother

        "I see Face ID as a replacement for Touch ID, not the passcode."

        Hear! Hear!

        Can we all have a chorus of: "Biometrics are a user id NOT a password!"

    2. Anonymous Coward
      Anonymous Coward

      You may be right

      Although it is not clear if the FBI can simply hold the phone to the face willing or no.

      Does it still work if you get a nice big black eye from the beatings? that would change the shape and heat map of your face, or are they now going to have to be more careful of people they catch?

      Some of the systems will clearly still pass a corpse if masks work, particularly if its fresh...

      Or are they so sensitive that if you cut yourself shaving you can't pay for your morning coffee. Or if you are bashed up after a car accident you can't unlock the phone to call 911.

      Although face ID may be relatively reliable, there are still a lot of ways for it to go wrong or be misused in my view. Although described as a retrograde step I would far happier if I still use a second factor IMHO. Convenience is often the enemy of security.

      1. Dave 126 Silver badge

        Re: You may be right

        > Although it is not clear if the FBI can simply hold the phone to the face willing or no.

        Touch and Face ID can both be temporarily disable by five quick taps of the home button (or power button on the X). Whether the user does this depends upon what is pointed at them when 'Freeze! Put your hands in the air!' is shouted at them.

        For the FBI to copy files from the phone to a computer they still need the passcode, even if they lay hands on an unlocked phone.

      2. Anonymous Coward
        Anonymous Coward

        @AC "far happier if I still use a second factor"

        Yes, but what's the second factor to unlock a phone? Even if they still supported Touch ID, having your phone use both Face ID & Touch ID isn't additive. Face ID harder to fool, so if you manage that, fooling Touch ID is a lower bar that doesn't really deliver any extra security - it doesn't give you the true benefit of a second factor.

        A proper second factor to a face or fingerprint (something you have) would be a password (something you know) But if you're going to use a password anyway, then what's the value of face/fingerprint unlocking since the convenience of not using a password is now gone. After all, the "something you have" for unlocking your phone is your phone!

        The problem with wanting to use a second factor unlocking a phone is that the phone is probably going to BE the second factor for everything else in life you need dual factor for.

      3. fidodogbreath

        Re: You may be right

        Or are they so sensitive that if you cut yourself shaving you can't pay for your morning coffee. Or if you are bashed up after a car accident you can't unlock the phone to call 911.

        No, it doesn't mean that at all. You can always just enter your PIN or passcode. Face scanners, fingerprint readers, etc. are a convenience feature. They work in tandem with a "something you know" factor, they do not supplant or supersede it.

  2. teebie

    "He explains that an increase in one error rate decreases the other. "

    Well he shouldn't do. If you correctly identify Dave 99 times in a 100, the false negative rate is 1%. If you then change the algorithm to recognise all photos of oranges as Dave the false positive rate rises, but the false negative rate stays the same.

    1. Anonymous Coward
      Anonymous Coward

      Depends on the algorithm, doesn't it? The way Apple explains it, if your phone fails to unlock and then you immediately unlock with a password, it will use what it 'saw' to update its information about what you look like.

      If I hold up a doll's head to my phone, the unlock fails and I provide my password, and do that over and over and over again, maybe eventually it will learn to unlock with that doll's head. But since it is all the while updating its understanding of what I look like, I'll bet it wouldn't unlock with my face any longer because I wouldn't look enough like that doll's head.

      It isn't like the phone just stores a bunch of pictures and compares to them, so it can simultaneously have my face and the doll's head. It has only one face, which means unlike Touch ID where you could register fingers from multiple people like a spouse or parent, it can't be simultaneously trained for two people. If you start with one and then try to make it learn the other, it will "forget" the first (though more likely I'll bet it simply will never be able to be trained with a new face that's too different, but I don't know that for sure)

  3. Charles 9

    So how do you solve the problems of people with memories too shoddy to remember a pass code or the like? Was it 'correcthorsebatterystaple' or 'donkeyenginepaperclipwrong'?

    1. hplasm
      Devil

      "So how do you solve the problems of people..."

      Cluebat.

      1. Charles 9

        Re: "So how do you solve the problems of people..."

        May not survive. Any other ideas?

        1. cbars Bronze badge

          Re: "So how do you solve the problems of people..."

          How do you solve the problem of people who forget/neglect to lock their doors and windows? Void the insurance?

          How do you solve the problem of people who leave their wads of cash on a car seat while it's parked near a pedestrianised area? You don't/same as above

          You can create security technology to help people, you can create it cheap enough for the majority of people to afford; but at some point, it really is someone else's problem.

          1. Charles 9

            Re: "So how do you solve the problems of people..."

            1. The insurance may not be void, but there can be a case for a claim not being paid on account of negligence. Depends on the policy.

            2. Sometimes, there's nowhere else to put it, such as this being outside the bank.

            3. Until it's YOUR problem, such as it being your mom. Meaning you can't just say no or face serious family issues. Trust me. I speak from firsthand experience.

            Speaking of front doors, why can't you make it like the front door so that all you have to do is turn a key or something like that. Something even a gran can relate.

            1. cbars Bronze badge

              Re: "So how do you solve the problems of people..."

              This is probably what people said when front door locks were invented.

              "But I have to remember this stupid key thing and fiddle around whenever I want to get into my house? That's too hard/inconvenient, I'm used to just popping the latch or opening the gate without all this messing about"

              I can quite happily say no to any member of my family without repercussions, I'm sorry to hear that's not universal. You can offer advice, if its ignored then I refer you to my previous comment: it's somebody else's problem.

              1. Charles 9

                Re: "So how do you solve the problems of people..."

                And like I said, it's always somebody else's problem until the problem is dropped squarely in your lap. And when a problem is dropped in your lap, it's considered very bad form to ignore the problem because of the Golden Rule; eventually, YOU'LL have a problem, and if you can't trust family, you basically can't trust anyone unless you're already of the type who insists on doing everything him/herself.

                Plus there's always the situation where YOU have the bad memory. Then it CAN'T be Somebody Else's Problem anymore.

        2. Captain DaFt

          Re: "So how do you solve the problems of people..."

          May not survive. Any other ideas?

          Use a kendo sword as your clue bat.

          Hurts like hell when applied properly, but does no long term damage. ☺

          1. Charles 9

            Re: "So how do you solve the problems of people..."

            "Hurts like hell when applied properly, but does no long term damage."

            Unless (1) it splinters, and/or (2) you experience it end-on.

            See this thread about shinai accidents.

  4. Milton

    It's all about Purpose

    Apple are not the only manufacturer to use their marketurds to deliberately confuse and mislead customers, so this is not an anti-Apple dig except insofar as it is the most high-profile recent offender.

    The problem is that fingerprints and face-id are not only not the same as PIN, they are actually for different purposes. It's a mistake (a deliberate one by Apple et al) to conflate "*quick* access for me" with "access *only* when I approve".

    Fingerprints and face-id provide a means of quick access which works for the user while making it unlikely that anyone else in the vicinity can get the same ready access to the device. Some effort is required to copy fingerprints, and bit more still to replicate faces. It's perfectly obvious that both are insecure given that the Stasi can physically coerce you into swiping a finger, or even more easily just wave your own phone at your face, to unlock. More sophisticated black hats can copy prints and so on, which makes both technologies quite useless for those with real secrets, against whom professional resources would be worth deploying.

    PIN, on the other hand, while being inherently slower and more fiddly, fills the "access *only* when I approve" purpose. Using a 10-digit mixed-alpha-symbo-numeric passcode gives you around 3 sextillion options (3x10^18) which, even if we assumed the phone's code was so poor as to allow endlessly repeated tries every millisecond, would take a mean time of over 40 million years to successfully brute-force. And of course, while the Stasi can fingernail the PIN out of you, that requires time and effort and some damage, a risk and investment that goes far beyond simply waving the device's camera at you. Even Trump's imbeciles at Homeland Security know better than to leave torture marks on journalists. (And of course, a properly secure device will allow a purposely incorrect passcode to permanently wipe its contents, so that the paranoids and spooks can trash the data even while the splints burn down to the quick.)

    So I submit that we're missing the point with blanket dismissal of fingerprint or face-id, and should be more specific in our criticism.

    Face-id and fingerprint are fine for quick, easy access and very poor security.

    Long, random PIN/passcode, well implemented on an properly encrypted device that does not allow repeated rapid brute-forcing, is the only truly secure system if you really need secrecy.

    And bear in mind—no one should need to be told this in 2017—leaving stuff on your mobile device like bank details, stored passwords, automatic logins, may well count as "needing secrecy". You don't necessarily need to be a spook or a Guardian journalist.

    The enemy of decent security is laziness, when you come down to it.

    1. Dave 126 Silver badge

      Re: It's all about Purpose

      Apple give users the choice of using biometrics or passcode for an easy unlock, but other operations on the phone still require a passcode. Apple also communicate to their users that Touch and Face ID can both be temporarily disabled by five quick taps of the home button (or power button on the X) should they be coming up to a border checkpoint, so I'm not sure that the charge of 'deliberately confusing and misleading' sticks.

      1. Not also known as SC

        Re: It's all about Purpose

        "Apple also communicate to their users that Touch and Face ID can both be temporarily disabled by five quick taps of the home button "

        I've just tried this on my iphone 6s on IOS 11.0.3 and it doesn't work. Is there a special technique?

        1. Dave 126 Silver badge

          Re: It's all about Purpose

          @Not also known as SC

          Sorry, my mistake: it's flipping the Sleep/Wake button five times that disables Touch ID on iPhone 6 and 7. On the 8 and X it's holding down the side button plus either volume up or volume down.

          https://www.theverge.com/2017/8/17/16161758/ios-11-touch-id-disable-emergency-services-lock

          1. Not also known as SC

            Re: It's all about Purpose

            Thanks - I'll give that a try.

    2. Anonymous Coward
      Anonymous Coward

      Passwords are vulnerable on phones too

      Realistically, if you are typing in a complex password every time you grab your phone because you don't trust fingerprints, faces and so forth to be secure since they aren't "passwords", it will be pretty easy for someone to snag it. I mean, how are you going to insure that no one is looking EVERY TIME you unlock your phone - including CCTV cameras that you might not be able to see, or someone simply holding their phone up behind you to video it where you can't see them?

      In theory a complex password is more secure, but because you are inevitably going to enter your password in public, in practice I don't think it matters much.

      Let say hypothetically Apple was able to improve Face ID to where it was impossible to fool, and it could even tell twins apart. That's great, right? The problem is you'd still need a password, and that password would still be vulnerable to someone seeing it entered, so this holy grail perfect Face ID wouldn't really improve the security of the phone much at all. At some point, if face/fingerprint/etc. biometric scanners become good enough, the password that the phone will always need to have (to provide a unique encryption key, something biometrics could never do even if perfect) will become the low hanging fruit.

    3. fidodogbreath

      Re: It's all about Purpose

      The problem is that fingerprints and face-id are not only not the same as PIN, they are actually for different purposes [...] Long, random PIN/passcode, well implemented on an properly encrypted device that does not allow repeated rapid brute-forcing, is the only truly secure system if you really need secrecy.

      Right. And face unlock, fingerprint unlock, etc. are optional features. If you don't enroll your face / fingerprints / whatever, then those systems are effectively disabled.

  5. Anonymous Coward
    Anonymous Coward

    "various people backstage had been messing about trying to authenticate with it"

    I've heard some whoppers in my time but that's an instant classic.

  6. brotherelf

    The oh-so-secure enclave

    Unfortunately, in about two years, people will complain that their new iToy needs to learn their face all over again, even though "the old one recognized me perfectly"; also, the iBigscreen device will not recognize the user by face even though it's linked to the same iTunes account, so the facial fingerprint (i.e. the fine lines in your facepalm) will move onto the iCloud servers that are iAbroad under a different iJurisdiction at the behest of iMarketing.

    1. Anonymous Coward
      Anonymous Coward

      Re: The oh-so-secure enclave

      It took me about two minutes to train my phone to recognize my face. Even if I got a new phone every year, that's hardly an imposition.

      I suppose if they really wanted to, they could make it so that an encrypted iTunes backup can export the data (if indeed there's any way to get it off the secure enclave) but who knows that might not even work due to manufacturing tolerances in the sensors.

      You'll have to find something else to try to be alarmist about, Apple isn't going to put this data in the cloud.

  7. Hans Neeson-Bumpsadese Silver badge

    Biometrics are always at risk of copying because they're not secret

    Exactly - so when are the manufacturers going to realise that it's a blind alley as an authentication mechanism? As facial recognition mechanisms get more sophisticated they will demand more battery power for extra sensors and computation - battery power which is in short supply on a device like a smartphone, and could be better conserved for other tasks.

    1. Anonymous Coward
      Anonymous Coward

      so when are the manufacturers going to realise that it's a blind alley as an authentication mechanism?

      They don't care, because of the reasons they entered the blind alley. It's hardly a coincidence that Apple, Microsoft, Google are all piling into facial recognition at the same time - much of the tech sector do innovation sporadically and badly, indulging instead in cowardly peer-pressure development of the latest hip technologies, regardless of effectiveness, or of market demand. Hence everybody throwing fingerprint sensors at their phones, now rushing to have facial recognition, and all salivating over "augmented reality". Look at the plethora of eavesdropping "digital assistants", either standalone or integrated to phones - who amongst the customer base actually asked for that?

      This "me-too" approach is also common in Silicon Valley's approach to business models, with Microsoft trying and failing to become like Apple in the phone sector, after trying and failing to be like Google with the aQuantive disaster. Google meanwhile tried to be Facebook, before admitting defeat, and are currently trying to be like Apple with the high priced Pixel devices and HTC tieup. Meanwhile, the other man's grass still looks greener even if you're in Cupertino - Apple have tried to ape Samsung with "a different model of phone for everyone" - I suspect that in years to come this will be seen as a negative turning point.

      And so it goes on. Very few large companies in any sector or any market plough their own furrow. I suspect due to directors demanding that whatever they read the opposition might be doing, they must also do. Apple was a company that did its own thing under Saint Steve, but under Dullenfuhrer Cook it is progressively losing that singular vision, and the value proposition is not real differentiation, merely brand (although that's working out well this far).

    2. Dave 126 Silver badge

      Why are the manufacturers being blamed here when the choice to use easy/insecure or fiddly/more secure is left to the owner of the phone?

      It seems that some manufacturers have done their part by making it bloody hard to get data off a locked phone.

      1. EnviableOne

        Becase the Marketing department push the insecure/easy method as Secure and Simple, so joe fanboi thinks their data is safe, when anyone with a clue knows they are just fooling thmselves.

  8. Pete 2 Silver badge

    Read my lips

    A static solution: merely looking for matches on a stationary (or very nearly so) face seems too simple. A better solution would be able to check several metrics simultaneously.

    For example having to say "hello iphone¹" while having the camera watch how your mouth moves. It could recognise both the sound of your voice, the words you spoke plus the shape and movement of your mouth. Move the fingerprint detector to the side of the phone (where you hold it) and it could use that as another factor.

    With a little refinement it could even make a dental appointment for you if it detected the signs of caries.

    [1] or whatever phrase the user had chosen

    1. Anonymous Coward
      Anonymous Coward

      Re: Read my lips

      So if you go slugged in the face so that you lost a tooth and now speak with a lisp, you're basically screwed?

      PS. There's still the possibility of wearing a sufficiently realistic mask while miming to a recording hidden in the background.

      1. Pete 2 Silver badge

        Re: Read my lips

        > you're basically screwed?

        It's Apple. You're basically screwed whatever you do.

        Just as if your spectacles go dark in daylight after you've grown a beard and caught a cold, put on weight, had a nose job, have a sticking plaster on your "printed" finger and been given a black eye by whoever broke your tooth - though they probably stole your phone, so the whole thing becomes moot.

        Though I do agree: those features mightn't be much use if you knew a ventriloquist.

        1. Dave 126 Silver badge

          Re: Read my lips

          >So if you go slugged in the face so that you lost a tooth and now speak with a lisp, you're basically screwed?

          [facepalm] No, you just enter your passcode. Not sure what's so hard to understand.

          1. Anonymous Coward
            Anonymous Coward

            Re: Read my lips

            Careful when you facepalm yourself, based on some of the posters here you'd think people are getting black eyes and having teeth knocked out on a daily basis. They either live in some rough neighborhoods or lack proper facepalming coordination!

  9. Anonymous Coward
    Anonymous Coward

    Cheap, secure, convenient - you can only have two of 'em...

    1. Anonymous Coward
      Anonymous Coward

      Why? Why can't it be all or nothing?

  10. Gnosis_Carmot

    At least in the USA

    At least in the USA I will stick to a passcode. Law enforcement can force you to unlock your device if it is secured using biometrics like facial and fingerprint. At least with a passcode you can make them at least get a warrant first.

  11. jnievele

    "Google's guidance says that its facial recognition isn't as secure as a PIN (why use it then?)" - easy: It's a convenience feature.

    There's loads of people who still use phones without any screen lock at all... because they think it's cumbersome to use (well, they do have a point...). So the face recognition offers them a way to simply unlock their phone without entering a long PIN, but it will be safe enough to stop any punter who found your phone on the sidewalk outside the pub (because he doesn't know who lost it, he doesn't know where to find a picture to unlock it).

    BTW, any discussion about HOW secure Apples new face recognition (or MS Hello, for that matter) is should take into account one fact: All these services require you to set up a passphrase to use in case biometrics fail. But if that passphrase (or PIN) is not very long (or is on a post-it on the back of the device), then you're screwed regardless of how safe your biometric solution is...

  12. Jin

    Face ID can by no means be more reliable than a password

    How would it be logically possible for Face ID to be more reliable than a password when it has to depend on a password (as a fallback means against false rejection)?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like