Rarely ever did I get as much angry feedback on an interview I gave to a local tabloid as in 2013, when Apple introduced TouchID on the iPhone 5S. Back then, I argued that the introduction of a biometric mechanism, even a potentially flawed one, would still beat weak passcodes such as 1234 often encountered in the wild at the time, and until this day.

Fast forward: Just days ago, on September 12th, Apple introduced their 10th anniversary release of the iPhone, the iPhone X. One of the key features of the new model is the lack of TouchID and the introduction of a new biometric security measure, a neural network-based facial recognition technology called FaceID that scans your face and unlocks your phone if it comes to the conclusion that you are, indeed, you.

Just as TouchID in 2013, FaceID has been received with a plethora of critical assumptions. The potential for abuse by authorities is a very common concern. Others would have wanted Apple to provide both TouchID and FaceID to give users a free choice of authentication factors. And then there is the usual vocal group of skeptics who has not really made up their mind about what exactly they do not like about FaceID and has no intention about changing that.

At this point, so prior the the release of the iPhone X, Apple has clearly lost the status of being a technological leader in terms of smartphones. The current top model, the iPhone 7 Plus, can – to just mention one example – barely offer a Full HD display while the competitors like Samsung or Huawei sport much higher resolutions to garner attention from potential customers. The mocking commentary Apple received while trying to sell the removal of the headphone jack in this iteration of the iPhone as “courageous” was certainly justified in that regard. But it is a fact that FaceID, or much more the processor that enables it, is Apple’s return to a more innovative and, yes, even courageous position in the market.

To compare FaceID with the lackluster efforts of Samsung in terms of facial recognition is, technologically, nonsense. In many ways, Samsung poisoned the waters for the entire technology of facial recognition: An implementation that can be easily beaten using Facebook profile pictures or Instagram selfies is most certainly a fun thing to have, but no more than that. FaceID, on the other side, works with a way more sophisticated and complex technical implementation in order to identify the legitimate owner of a device. Further, the entire topic of Apple’s Secure Enclave, a mostly separated, dedicated processor setup for TouchID and the new FaceID have been underappreciated, despite being well worth some praise from a security architecture point of view.

It’s telling that the skepticism towards FaceID is just as blurry and undefined as some of the marketing texts that their advocates usually criticize, with an added dash of conspiracy theories: On Twitter, the opinion that FaceID might be a step towards collaboration with Law Enforcement and Government Agencies after Apple’s recent clash with the FBI is already being discussed. The implication is that LEO could just hold the device in front of a suspects’ face and go on snooping through their messages and calls. Not only would a similar statement already be true for TouchID, but it also ignores iOS11’s new function of hitting the power button five times in order to fully disable all biometric authentication measures until the valid passcode has been entered.

Talking about passcodes: Even though TouchID, FaceID and other potential future ways of unlocking a device are breakthroughs in terms of usability, the option to just not use these technologies and stick with a classic password/passcode is a completely legitimate option, but is rarely considered a valid one. Which is remarkable, considering that similar criticism in regards to Microsoft’s Windows Hello is rarely ever heard.

No matter the first reactions: FaceID will absolutely be vulnerable to attacks. It is to be expected that the German CCC as well as other researchers will be dealing with the topic very soon, upon release at latest and that they will be presenting successful ways to circumvent FaceID within a very short amount of time. But it is unfair and naive to measure a solution to easily unlock a device by a standard of it being impossible to circumvent. Neither passcodes, nor biometrics or any other currently available measure provides this level of sophistication. Much more important for the technology of FaceID will be convenience: Why can’t I unlock my phone when it’s laying on the table? Can I unlock it while driving a car? Could my evil twin unlock my phone using his own face? (Apple actually responded to the last one: Yes, he could. People with evil twins should use a traditional passcode.)

For most users, the function is a step into the right direction was my verdict for Touch ID in 2013. A statement that has rung true for the most part in the four years that have passed. FaceID has the potential to transform user interaction with mobile devices once more – and it adds real-time facially animated emojis into the mix. If that combination will be a recipe for success, only time can tell.

About the Author

Stefan Friedli is a well-known face among the Infosec Community. As a speaker at international conferences, co-founder of the Penetration Testing Execution Standard (PTES) as well as a board member of the Swiss DEFCON groups chapters, he still contributes to push the community and the industry forward.

Links

• http://www.20min.ch/digital/dossier/apple/story/28196356