Today it is normal to use facial recognition to open your phone and to pay with your credit card through Apple pay – 10 years ago I would never have imagined that these features would be accessible to people and being used in everyday life.
Facial recognition is fairly new to the public, since the technology until now has been either very sensitive or easy to trick. Apple first launched facial recognition (Face ID) on iPhone X in 2017 (Tillman, 2021). Apple’s facial recognition uses a “TrueDepth” system that projects structured IR Light onto the user’s face to measure the depth of the facial features. The IR Light contains 30,000 small dots and is basically creating a 3D model of the user’s face. This technology is resilient towards tricks such as videos or pictures of a face which makes Face ID very accurate (Nachreiner, 2021). In addition, according to Apple, the false-positive rating is as low as one in one million. This is a great improvement of Touch ID (fingerprint) were the false-positive rate was one in 50,000 (Tillman, 2021).
Even though Face ID is accurate and resilient towards tricks – how safe is it? Where is the data stored and who has access to this data? Would a hacker be able to get access to your face ID? According to Apple, the data never leaves the user’s phone and is not transmitted to any cloud or network. It is saved in something called the “iPhone’s secure enclave” which, according to Apple, would be impossible to hack since the data can’t be retrieved (Nachreiner, 2021).
But is anything that has to do with data really impossible? Even though Apple is one of the leading companies within technology, technology emerges and improves every second – also for hackers. Yet at a Black Hat hacker convention in Las Vegas, some researchers found that it was possible to “hack” the liveness detection of an iPhone user and thereby hack the Face ID. Apparently, if the user is sleeping, is a user of glasses and eyes are being held open with tape, it is possible (Winder, 2019). So, if this is the only way, that we know of right now, to hack a Face ID, that seems pretty safe to me. Yet Chief Technology Officer, Corey Nachreiner (2021) suggests that in order to secure sensitive information even more, a multifactor authenticator is the only truly secure option. According to Nachreiner, the combination of biometric data and passwords would be the safest, and I will agree on this point. What do you think?
References:
Nachreiner, C. (2021) Apple’s Face ID: No match for multifactor security. TechBeacon.com. Retrieved from: https://techbeacon.com/security/apples-face-id-no-match-multifactor-security
Tillman, M. (2021) What is Apple Face ID and how does it work? Pocket-lint.com. Retrieved from: https://www.pocket-lint.com/phones/news/apple/142207-what-is-apple-face-id-and-how-does-it-work
Winder, D. (2019) Apple’s iPhone FaceID Hacked In Less Than 120 Seconds. Forbes.com. Retrieved from: https://www.forbes.com/sites/daveywinder/2019/08/10/apples-iphone-faceid-hacked-in-less-than-120-seconds/?sh=73c130dd21bc
Interesting topic. I also think that multifactor authentication is the safest way of protection at this moment. I talk about this topic in my mini blog if interested. ^^
Hi Mia,
Very interesting topic. I recently switched from Touch ID to Face ID myself on my iPhone, seemingly without any consequences or downsides to the feature. Reading your post was therefore quite insightful as it made me think about what the possible negatives could have been.
According to your findings, it does seem like Apple really thought about the security of the feature. As the Face ID data never leaves the user’s phone and is not transmitted to any cloud or network, I’d say it is highly unlikely that a hacker is able to access it, as those are the most common platforms/ways data is accessed through.
Multifactor authenticatication (MFA/2FA) with both biometric data and passwords/-codes is always a good idea on any type of digital security. However, that would defeat the purpose of quickly accessing e.g. your phone through Face ID, as then you’d have to authenticate the phone access via another way (i.e. a password) afterwards. So there are downsides to that as well.
I’m having faith in Apple on this one 😉
I think the question you raised is indeed worth thinking about. Although it is not the first time it has been raised, as far as I know, many friends of mine are still using this feature. I think it was probably 5 years ago, in 2016, when Microsoft quietly deleted the MS Celeb face recognition database. This database was probably the world’s largest public face recognition database at that time, and the best face recognition models are all trained on this database. The database contains 10 million photos of about 100,000 people, but these photos did not get the consent from the owners. At that time, the academic circle was actually very concerned about this problem, thinking that if other databases, such as CASIA-Webface, VGGFace, also delete the data one after another, the field of face recognition is likely to face a situation where there is no training data available. But as far as I know, this is indeed a trend in the industry, because the current DukeMTMC data set in the research field of Person ReID has also been deleted.
As far as the control of data security is concerned, the European Union’s requirements should be the most stringent. I heard that in Germany, the laws and regulations on data collection for autonomous driving clearly state that when collecting road driving image data, if there is a human face, it has to be replaced by Mosaic or cartoon avatars, otherwise you will face a large fine. And there will be supervisors stationed in the company from time to time to check the training data sets of these companies.
Although the data in these databases have been deleted, the data downloaded before is actually stored intact on the hard drives in every corner of the world. As for whether it will be used by criminals, it is hard to say. So, we still I have to manage my privacy carefully. For me, I don’t even use this type of function myself.