MacRumors has an interesting article on the iPhone8 with a rumor that it’ll forgo the fingerprint reader in favor of a 3D facial scanner. It’s an interesting idea that could be very convenient, but would it be secure?
The obvious first question is, can it be spoofed? It’s relatively straightforward to capture a 3d model of someones face, including visual coloration. That can then be split into a texture, which is unwrapped digitally, printed and transferred to a flexible skin. The 3D model can be printed on a consumer 3D printer, and the recombined with the printed skin to form a reasonably accurate 3d model of someone’s head.
Will it be good enough to spoof the sensor? If it includes IR sensors that look for non-uniform thermal images, it’d be more reliable, but if it’s just an image and morphology recognition, it should be possible. A lot will depend on the tolerance built in, and most facial recognition systems have a crossover problem.
Assuming Apple releases a phone that has this, and allows charging and headphones at the same time, without looking like (homage to Bruce here) a bleached squid is dangling from my shirt, I’ll give it a try and let you know.
Next we have the issue of compelled unlocking. This is a murky area of law, and we don’t have clear direction. Forcing someone to type in a password is probably not going to survive. Requiring someone to press a finger to a sensor is currently winding it’s way through the courts, and that outcome is definitely in the grey area.
I suspect that requiring someone to hold still while a phone is held up in front of their face is likey to be permitted.
Last, these systems have real challenges with false positives and negatives – they range from nearly a joke (hold up a picture), to annoying (high failure rate).
Apple’s managed to do some interesting things with usable user-friendly security, so if anyone can get the tradeoffs right, it’s probably them. I just hope it’s not the sole option on a flagship product.