Face ID is a quantum improvement from traditional pin/passcode combinations which can be stolen via the dark web, phishing attacks or social engineering. And its facial recognition capabilities are more secure than traditional facial recognition done by a simple 2D front-facing camera.
In fact, Face ID is now being used to unlock online transactions too — and here’s where there are some cautions. Face ID replaces Touch ID for Apple Pay and this means, even for transactions, all a user has to do is to look at an iPhone X (or newer model) to authorize online purchases.
How Does Face ID Work?
Apple utilizes facial scanning technology, called a TrueDepth Camera system, which is packed into the top of its iPhones. Face ID uses this proprietary infrared camera system scans a user’s face shape and facial features with infrared light, with a dot projector beaming up to 30,000 individual dots invisible to the human eye.
Apple’s face scanning technology generally focuses on features around your eyes, nose, and mouth. While the technology has definitely advanced in recent years, Face ID also utilizes liveness detection in gauging whether a user’s eyes are open and directly looking at the phone. This generally works best if the phone is held 10 to 20 inches away from the user’s face. So, if a user is lying down, squinting or has their eyes closed, Face ID still won’t register them as the true user.
Security Issues With Apple Facial Recognition
Using Face ID in financial (and other) apps is one of the more secure ways to authenticate users within iOS, making the login experience more efficient, user friendly, and helps bring users back to your app. But, it has its fair share of challenges.
In the past, there have been cases where a face recognition technology has been easily spoofed by using simple tricks. Since the iPhone X launched, people have been attempting to fool Face ID, the new biometric facial recognition feature built into the device as a primary security feature. Face ID has thus far been tricked by twins, children and even a mask.
The Facial Recognition Difference Maker: Liveness Detection
The real security of facial recognition technology comes from the ability to tell the difference between an image of someone’s face — a photograph for example — and the real thing. This is known as liveness detection. Since the iPhone X uses a 3D TrueDepth camera capable of telling the difference between a person and a photo, no liveness detection challenge is necessary. Apple has said that they look at the 3D shape of the face as well as a photograph to make it hard to pass off someone’s photo. This contrasts with other face recognition solutions in the market today, which use 2D cameras that are unable to measure depth and instead require a liveness challenge to detect if the subject is a real person or a photograph.
Keep in mind, Apple doesn’t actually have any record of your face. Using Face ID does not mean that you’re “giving Apple your face,” instead, it only stores a mathematical representation of your face locally, on your personal device. And that’s good news from a security perspective since there’s no cloud-based repository of biometrics to be hacked and breached.
So, while Face ID seems like it’s addressing security concerns for unlocking a user’s phone, is it secure enough for creating new online accounts and authenticating enrolled users?
Identity Proofing vs. Biometric Authentication: Time to Raise the Bar
When customers create new online accounts, the bar for establishing someone’s digital identity must be higher given what’s at stake.
As a result of recent large-scale data breaches, the amount of personal information available for purchase on the dark web has emboldened identity thieves to perpetrate application fraud — a popular type of banking fraud in which a crook uses your personal information to apply for a credit card or other bank account in your name. That’s why online users are usually required to provide some form of valid government-issued ID, such as a driver’s license, passport or ID card. In other words, they leverage the ID as a trust anchor since it’s still one of the most trustworthy forms of identification available and often includes embedded security features such as watermarks and holograms.
Remember, Face ID maps a user’s selfie to their Apple ID, which is nothing more than an email address, which hardly qualifies as a trust anchor. This means a cybercriminal can create an Apple ID and purchase an iPhone X and associate their face with it. They can then use that Face ID to authenticate themselves to popular apps. While fraudsters typically don’t want to associate their real picture with the company they’re looking to defraud, it still happens. The cyber thief can easily claim to be John Smith on 123 Maple Street in Bristol, Connecticut, but where’s the real proof of their digital identity?
Another key consideration for using Apple Face ID for online transactions is whether or not you want to stay within the confines of Apple’s “walled garden” ecosystem. Companies that adopt Face ID as their authentication methodology can use it to enable Apple Pay, allow transactions in iTunes or within Apple’s App Store. But, if you’re looking to leverage this technology for other financial or online institutions, you’ll need an authentication solution which works seamlessly across different devices, platforms and technologies.
Paralleling the recent growth of Face ID has been the growth in biometric-based identity verification.
Face ID vs. Biometric-Based Identity Verification: What’s the Difference?
Biometric-based identity verifications, like ours here at Jumio, start with identity proofing and requires the user to capture a picture of their ID document along with a corroborating selfie. During the selfie-capture, Jumio creates a 3D face-map (which is similar to Apple’s facial mathematical representation). But now the 3D face-map is tethered to the trust anchor – the person’s verified ID. When future authentication is required, either for logging in or to authorize high risk transactions (e.g., password resets, wire transfers, unlocking rental car doors, etc.), the user just captures a fresh selfie and a fresh 3D face map is recreated and compared to the baseline 3D face-map for instant authentication. Same basic principle as Face ID but now it’s fortified by the trust anchor. By performing this type of online identity verification, companies can also scale their online transactions beyond Apple’s “walled garden” ecosystem.
Sadly, the vast majority of financial institutions still rely on legacy authentication processes to power customer identity verification. That’s why we need to be careful about overhyping the potential of Face ID and ensure that apps embed some form of online identity proofing, upfront, into the account setup process before they put all their trust in Face ID.