Face ID is Probably Going to Be Annoying, But It’s the Future



There are few companies in the tech industry that have a better sense of what consumers want—and are willing to pay premiums for—than Apple. Often, it seems Apple’s marketers and engineers know more about our product desires than we do, and the company is quite adept at satisfying those wants.

The new iPhone X, introduced yesterday at Apple’s annual fall event in Cupertino, is no exception. The device is beautiful to look at, with its all-glass design and lack of buttons. It’s the purest example of Apple’s simple, clean aesthetic. The removal of the familiar home button also means that the iPhone’s Touch ID authentication system is gone. Only four years old, Touch ID is replaced on the new phones by Face ID, a facial-recognition system that uses the new TrueDepth camera to map the owner’s face. The system can be used to unlock the device and also is tied to Apple Pay.

Details on the technical specifications of Face ID are scarce right now, but we do know that the system makes use of the hardware and software security features that have been built into the iPhone for several years.

“With Face ID, iPhone X unlocks only when you’re looking at it. It’s designed to resist spoofing by photos or masks. Your facial map is encrypted and protected by the Secure Enclave. And authentication happens instantly on the device, not in the cloud,” Apple’s documentation says.

That’s good news for security and privacy conscious users. The Secure Enclave is a separate processor in the iPhone that handles the encryption and key management tasks and has proven to be highly resistant to attacks over the years. Storing the encrypted facial map in the Secure Enclave on the iPhone is a better and more secure option than moving it to the cloud, and it’s likely faster for authentication purposes, too. A couple of weeks ago, before Face ID was confirmed as a feature on the iPhone X, my friend Rich Mogull, who has followed Apple security technology closely for many years, wrote that it was important to judge the technology in terms of its own merits, as well as in relation to Touch ID’s security and utility.

“Touch ID isn’t perfect — there are a variety of ways to create fake fingerprints that can fool it. The financial cost is not prohibitive for a serious attacker, but the attacks are time-consuming enough that the vast, vast majority of iPhone users don’t need to worry about them,” Mogull wrote in TidBits in August.

“I’m sure someone will come up with ways to fool Face ID, but if doing so requires taking photos from multiple angles, computing a 3D model, 3D printing the model, and accurately surfacing it with additional facial feature details, I’ll call that a win for Apple. It will make an awesome presentation at a hacking conference, though.”

Apple knows what it’s doing when it comes to security. Face ID likely will work just fine from a security perspective, but from a usability and convenience point of view, Face ID probably will take a lot of getting used to. The great thing about Touch ID is that it not only allows users to unlock their phones without entering a passcode, but it allows them to do so with a single touch in half a second. It works when the phone is lying on a table, in your pocket, or pretty much anywhere else. It’s simple to use and it just works.

Face ID will take a little more time and effort to use, which may discourage some people from enabling it and require them to rely on less secure passcodes. That will likely be a small minority of users, especially when you consider that the iPhone X sells for $1,000 and the people willing to spend that kind of money on a glass rectangle will probably want to use all of its fancy features. It may take some time to get used to, but Face ID is the future of mobile authentication.

Dennis Fisher

INFOGRAPHICS

Don't Get Hooked: How to Recognize and Avoid Phishing Attacks

Dennis Fisher

Dennis Fisher is editor-in-chief at Duo Security. He is an award-winning technology journalist who has specialized in covering information security and privacy for the last 15 years. Prior to joining Duo, he was one of the founding editors of On the Wire, Threatpost and previously covered security for TechTarget and eWeek.