FaceID – When Form Trumps Function

I’m an Apple guy – Mac, iPhone, iPad, and watch.  I switched my family and friends over years ago, which reduced my technical support immeasurably.  There’s a lot of good things to be said for their products, though recent trends have put form over function to the detriment of users.  The latest case in point is FaceID. I’ve been an Apple user since my ][+ in the early 80’s, and while I took a sojourn into the PC world, I’ve been back since the Intel mac was released in 2006.  They’ve made really cool products over the years, with great design, balancing form and function.  Since Steve Job’s passing however, the company has been relentlessly focusing on a single imperative – make things thin and light, and all other concerns – including utility and functionality – are secondary. My phone and mac now look like they’re being attacked by a swarm of albino squid.  The picture for this article is the box of dongles and adapters required for a single Mac computer.  It’s also resulted in underpowered machines and software doesn’t function well with local content or when offline as the company tries to force cloud and streaming services on their users.  As always with Apple, you either live the way they think you should, or you’re left stuggling. Now all this may be good business strategy.  They probably make a lot more money off people who walk around Cupertino, hang out in coffee shops, use their machines only for surfing and blogging, are always online, and only talk on the phone for an hour a day than people like me and other power/performance users.  But the latest design-driven decision is one that will impact everyone.  In the obsessive quest for a smooth and seamless glass display on the iPhone X, we’ve taken a step backwards on security, safety, ergonomics, and usability.  FaceID is a step backwards. TouchID, particularly the most recent version, is the best consumer fingerprint technology available.  It has a solid crossover point between false accepts and false rejects, is easy to setup, allows multiple users, is relatively hard to spoof (at least without triggering the lockout), and can be used eyes-free when driving.  But it requires a physical sensor that can be touched, and that’s where function ran headlong into form.  From media reports, Apple had been trying to get it to work under a seamless glass pane but without success.  Rather than preserving the functionality, they abandoned a proven security solution and moved to facial recognition – a technology that the majority of security professionals are skeptical of. First, let’s talk about privacy.  On this one, I’ve no worries, Apple got it right.  The recognition data is stored in a trusted computing module (aka secure enclave) on the device, and never sent to the mother ship – TouchID does the same thing.  It’s actually a really cool bit of tech.  Folks concerned about ‘being in a database’ should be much more worried about malls, airports, sporting events, roads, and schools, the driver’s license bureau, and passport agency – all those places collect facial data. Now on to security. There’s a lot of chatter about spoofing FaceID or triggering a false accept with a relative.  The attack in the story is similar to the one I’d try.  I’d start with a 3D scan of someone’s face using series of photographs and software like Strata Photo 3D to stitch them together into a full-color model.  Import that model into ZBrush, clean it up, and export the mesh for 3D printing.  While you’re in there, unwrap the ‘skin’ or texture map with the color information into a 2 dimensional layer.  Export that, print it onto a flexible skin, then wrap that skin back around the 3d print (the skin/transfer processes are covered in one of the books we wrote).  That’s a bit of work, but in the end, you end up with a pretty good full-color 3d model of someone’s head. Note that for a public figure, it’s far easier to get a good 3d model of their face than it is their fingerprint. Next, I’ve been wondering if the IR camera setup for FaceID has some FLIR like capabilities that measure the heat map of a face, and that’s why Wired’s masks didn’t work.  If so, we can use a heat gun to replicate human heat patterns on the model.  To be clear – I don’t (and won’t anytime soon) have an X, and haven’t tried this, but the techniques are all very straightforward.  In any case, I’m sure that eventually a similar attack will succeed. Now, how is that any different from a gummy finger and TouchID?  Effort and technique-wise they’re similar, and in the real world, probably about the same complexity.  With an aggressive lock-out on both, the odds of a false positive are pretty low. Of course, either Touch or Face ID is moot if your mugger wants you to unlock the phone while you’re still in the dark alley, though FaceID does protect you against having the device unlocked while you sleep. But unintentional false positives are starting to emerge, and of course, there were reports – denied by Apple – that they dumbed-down the sensor because of yield problems.  We’ll just have to see how it goes, but I give a slight edge to TouchID because it requires physical contact to obtain the biometric information. Last let’s talk about functionality.  FaceID supports only a single face.  That’s a software issue, and I suspect it’ll change in the future, but right now it’s a limitation.   The bigger issue is the false negative rate.  From media and personal anecdotal reports, it’s far higher than TouchID.  Apple’s done that to preserve the security of a system based on an inferior biometric (which is the right choice), but it has real-world implications. To be most secure, and in order to prevent drive-by unlocking, FaceID requires eye contact with the device.  Oops, it doesn’t work with dark sunglasses (I wear contacts, so my glacier glasses are my friend), which prevent recognition.  Hello passcode. I have my devices set to prevent Siri from leaking data from the lock screen (“hey siri” is at best, hit or miss anyway).   With TouchID, I can simply touch the phone where it rests in the cupholder, and then use voice commands to interact with it (assuming Siri isn’t brain dead that day).   FaceID requires that I lift the phone up in my hand, look away from the road, and make eye contact to unlock it. That’s both unsafe, and in many states, illegal.  Then when it fails to unlock because of the false deny rate, I’m left with having to pull off the side of the road and enter the passcode.  I suspect a lot of people will turn off the eye contact requirement as a result, which drastically reduces the security of the solution. Now to be fair, none of those issues are unique to FaceID.  As facial recognition goes, it’s a pretty good system.  But facial recognition as a technology for primary, single factor authentication is a really poor idea – doesn’t matter if it’s on an iPhone or Surface.  The error rates are simply too high, and the fallback (aggressive failure and lockout) means that the utility is severely hampered (animated poop emoji’s notwithstanding). So we’re left with a regression because the form (ultra-thin, light, seamless) trumped function.  That’s a real shame, because so far Apple’s been really good at finding a sweet spot between security and convenience.  TouchID was a brilliant biometric solution (at least on mobile), and the new two-factor system in iOS 11 and MacOS 13 is the best overall implementation I’ve seen.  It just works – good old days come again.  Unfortunately FaceID is a major step backwards – in the real world it may be roughly as secure as TouchID, but it’s far less usable.

, , , ,


  1. iOS 11 crack – should you be worried? | Doug Lhotka - February 28, 2018

    […] an actual encryption key rather than just a device unlock code.  I’ve written about why I prefer TouchID over FaceID before – part of the reason is that it makes using a robust passcode more user friendly (less […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.