Apple's Face ID: No match for multifactor security 

I remember as a kid watching sci-fi movies such as 2001: A Space Odyssey, The Fifth Element, and Minority Report with awed anticipation, desperately hoping for the cool technologies in those films—facial recognition, artificial intelligence, gesture controls, and flying cars—to become a reality. Today most of those technologies exist (sans the flying car) and, thanks to companies including Apple, we can carry them in the palm of our hands.

Facial recognition is one of those new technologies. Apple recently announced that its iPhone X will replace the Touch ID fingerprint sensor with a facial-recognition feature called Face ID. While Face ID sounds cool, convenient, and futuristic, I wonder if it's as secure as Touch ID. Does it pose any new security risks or privacy issues?

At a high level, you should consider two points when judging the security and efficacy of authentication factors, biometric or otherwise:

  • How easily can attackers guess, copy, steal, or spoof the authentication factor?
  • How secure is the digital copy of the authentication factor?

Here's why Face ID will not replace multifactor authentication.

State of Security Operations 2017

How Face ID works

Until recently, facial-recognition technologies have either been very easy to trick or overly sensitive to environmental factors, which made them ineffective authentication factors.

But Face ID goes beyond just tracking motion from 2D video to actually mapping 3D environments, with a technique called structured light. Apple's "TrueDepth" system projects structured IR light (30,000 dots) onto your face to measure the depth of various points, basically creating a 3D model.

This alone significantly improves the accuracy, and thus security, of Face ID’s recognition. Unlike past technologies, a picture or video alone will not fool a 3D facial scanner.

Apple also says you have to look directly at your phone for Face ID to kick in. This suggests the system looks for some eye or pupil movement, too. Finally, some facial-recognition systems also look for skin and texture indicators, which can improve recognition accuracy as well. Face ID does not.

The bottom line: No technology is impenetrable. In the past, researchers have proved that they could recreate relatively accurate 3D models of a person's face using publicly available pictures and the science of photogrammetry (specifically stereophotogrammetry). It's not unreasonable to expect researchers and attackers to find new ways to trick Apple's Face ID system in the future.

Despite all the Face ID joke memes and the failed log-in during Apple's launch event, I believe Face ID has been designed very well. I suspect the underlying technology makes it more secure than many other facial-recognition systems. That's not to say it will be impossible to defeat, but it will take significantly more effort to defeat it—much more than just a 3D-printed face.

About that digital copy of my face

The second general security concern with authentication systems is how they store and transmit the digital version of an authentication factor. In other words, can an attacker recover the digital copy of your credential and use it to log in as you?

On paper, Apple has done a great job of securing this data. Apple says the model of your face never leaves your iPhone X. It does not transmit it over any network or store it in the cloud. Like your digital Touch ID fingerprint, your Face ID data is stored specifically in something called the iPhone’s secure enclave.

Apple’s latest system-on-a-chip (SOC) processors have a separate co-processor called the secure enclave processor (SEP) used for security and cryptography functions. This processor has its own operating system and is isolated from the main processor.

If your phone stores a digital key (such as your Face ID model) in the SEP, the main processor never actually sees or handles the key. It receives just the "outcomes" of operations with that key. In other words, the operating system never sees the model of your face; it gets only the "matched" or "not matched" result from the secure enclave. In short, Apple has designed a system that can't retrieve your Face ID data, so it will be particularly hard for attackers to gain access.

Is it strong enough?

Despite Face ID's security, I'm still almost positive that researchers and hackers will eventually crack it. Which brings me to my real point: No single authentication factor, no matter how well designed, will ever be perfect. Our authentication options are something we know (passwords), have (tokens or certificates), or are (biometrics). The problem is that there are always ways for these tokens to be stolen, guessed, or mimicked.

Biometrics, like Touch ID and Face ID, have become all the rage because they’re much easier to use than passwords and offer decent security. Though you can use passwords securely, it simply is too hard for the average human to remember a long string of random letters and numbers.

But we are falling into the same trap. Biometrics have weaknesses too—all authentication factors do. One day, we will realize that biometrics such as Face ID are no more perfect than the passwords we used before.

That's why the only truly secure authentication choice is multifactor authentication. Rather than using different factors individually, we need to pair two or more together. With enough time and effort, someone could probably create a convincing copy of your face, but what if your phone or bank account required both your face and password to log in? That would make it exponentially harder to crack.

In the end, I believe multifactor authentication is your only truly secure option for protecting critical information. Rather than quibbling over whether Face ID is more secure than Touch ID, or if certificates are more secure than passwords, we should realize that all authentication factors have weaknesses. Apple did well in designing Face ID, but unless you pair it with something else, hackers will eventually defeat it.

State of Security Operations 2017
Topics: Security