- Security TWENTY Home
- Women in Security Awards
Apple’s latest version of the iPhone, iPhone X (pronounced 10) has been hailed for its Face ID feature. That’s facial recognition, using a TrueDepth camera (marketed also for taking selfies; and for analysing 50 muscle movements so you can mirror your expressions in ‘Animoji’ such as panda, pig or robot). Users can use it with Apple Pay.
Stephen Cox, Chief Security Architect at SecureAuth, an authentication and cloud access product company, said that this feature ‘quite simply has the potential to shape the future of biometric authentication’. He said: “Biometric technology, of course, is based on the fact that each person is unique – a person can be identified by his or her intrinsic physical or behavioural traits. But it is important to remember that authentication via facial recognition is not new and that no security measure alone is a silver bullet.
“While it is difficult to replicate the facial features of a user, early attempts at this technology in consumer devices were easily defeated by simply placing a picture of the users face in front of the camera. The iPhone X has 3D capabilities that can judge distance, a mitigation for this vulnerability. It remains to be seen how effective it is, but you can bet that the hacker community will fervently try to defeat it.
“Still, no single authentication technique is beyond the reach of attackers. Devices will be hacked and sensors will be tricked. It is important to layer such technology with adaptive authentication methods, such as IP reputation, phone number fraud prevention capabilities or behavioural biometrics. Security is very much about layers.”
Ollie Hayler, Business Development Director for PalmSecure Biometrics at Fujitsu Cyber Security and Enterprise said that Face ID highlights the shift in security culture that we have seen among consumers in recent years. “Where biometric solutions were once deemed futuristic and unsafe, it is now commonly accepted that neither using a combination of symbols, numbers and letters nor changing passwords periodically can keep accounts safe from cyber threats. Passwords and PIN numbers are becoming a thing of the past as they can be copied, stolen, guessed or shared easily. Now thanks to biometrics, customers and businesses alike have a far more secure choice of authentication and verification.
“Although thumbprints and facial recognition are a good starting point in introducing consumers to biometric methods, a key area for the future of biometrics is palm vein. This technology combines the convenience of a contactless sensor with biometric security, and uses near infrared technology to scan over 5 million reference points of the internal vein pattern of an individual, thus making it extremely secure. Whilst not currently available on smartphones, palm vein continues to be deployed across the globe for applications such as patient ID and verification in hospitals, financial transactions at ATMs, physical access in smart buildings, cashless payments and as a secure login to core applications such as banking platforms. For users, the system is more convenient and faster than typing a password – with identity verification usually completed within one second. Each palm vein pattern is unique and it stays the same throughout a person’s life.
“While we don’t expect biometric adoption to happen overnight, the proliferation of biometric technologies in consumer devices such as the Apple iPhone will result in consumers becoming more familiar and comfortable with the technology. As such, biometric verification of identity on a personal device will, in one way or another, become a standard identification process.”
And Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, commented on the effectiveness of facial recognition as an authentication method. To date, there is nothing more reliable than a long-randomised password, she said. “Fingerprint scanning, facial recognition, bluetooth, geolocation and even a short PIN are all ways to simplify access not only for yourself, but also for a potential attacker. Even if the new Apple algorithm for facial recognition cannot be fooled by photography, vertical self-videos can easily be found in the public domain – for example, on Instagram – and could be used to crack the device. As a replacement for fingerprint authentication, this feature has only one advantage – it is unlikely to be able to unlock the phone when the owner is asleep.”
For more about the iPhone X, visit https://www.apple.com/uk/iphone-x/.