Multi-Factor Authentication and the Security of iPhone's Face ID

Last week, Apple had their annual iPhone press event. In addition to the expected incremental updates to the iPhone 7 and iPhone 7 Plus (and the iPhone 8 and iPhone 8 Plus), Apple announced a third premium model called the iPhone X. This model is expected to ship in early November.

Like several higher-end Android handsets released this year, the phone is designed to expose nearly all the face of the phone as screen. This means removing the Home button on the front, which Apple has historically used for their Touch ID fingerprint biometric sensor. However, rather than trying to move a fingerprint sensor to the back of the phone or underneath the screen, Apple chose to deploy an entirely new biometric system called Face ID, which works by recognizing the user's face rather than their fingerprints.

Apple's goals for biometrics go beyond reducing user friction on access or increasing security. Apple ultimately wants that security to be completely transparent.

Simply stated, they want their devices to each recognize and make a decision on who it's interacting with. If you're the owner of the device, it allows access to information and authorization to perform actions. If someone else picks up the device, the phone restricts information and access.

For the most part, Touch ID has felt like a success here--simply pressing a button that the device already requires you to press will attempt to determine who you are, unlock the device and let you access applications. While it doesn't work with wet or gloved hands, the hardware has improved in performance and 'feels' instantaneous to users, and is considered by many to be the 'gold standard' in fingerprint biometrics.

Few outside Apple have been able to interact with the upcoming iPhone X at this point. However, users have high expectations of any biometric system released by Apple -- that the Face ID system must be at least as secure and transparent as Touch ID for it to succeed, and that Face ID must succeed for the iPhone X to sell.

As explained previously in the What is Multi-factor Authentication blog, authentication factors are typically divided into three categories--what you know, what you have and what you are. The typical phone is represented by:

What You Have

Most devices require physical interaction with the device for access. Since the device is portable, use of the device itself can be considered a factor. Someone must take possession of the phone in order to access information on the device. Typically, this factor is only defeated through loss, theft or legal compulsion.

What You Know

While most phones will still let a user run without a PIN or passcode, a PIN is considered a minimum bar for phone security. Someone must guess or otherwise discover the information in order to gain access.

However, it's worth noting that many people still choose weak PINs and reuse passwords. A password reused across all websites, for example, only needs to be compromised on one in order to be reused across all of them. PINs and passwords today aren't improved as much by being complex as they are by being unique.

What You Are

Biometrics have historically gotten a bad reputation because they're intrinsic and thus unchangeable. We leave fingerprints everywhere, and many (if not most) fingerprint sensors can be fooled by a sophisticated attacker who has lifted a high-quality set of prints. When this happens, the user can't change their fingerprints--the biometric is effectively defeated until newer, better technology becomes available. It would be like a front door where the locks were impossible to change, even after the key was lost.

For this reason, biometrics are a constantly evolving technology and often are deployed with four specific requirements:

• Biometrics shouldn't be the only factor for determining access. You need to use one or both of the other factors in order to be able to 'change the locks' should a compromise occur.

   

• Biometrics are typically deployed for convenience and transparency. The goal in this case is not to answer the 'who's there' question, but to increase your confidence that the user is still there.

   

• Because biometrics can be compromised permanently, they need to be an optional part of the overall system security.

   

• Because the risk is usually of biometrics being captured in a way that can be replayed to the system, biometrics typically need to stay private. The system that knows the biometric parameters can't be allowed to share them.

With respect to Apple's design, iOS devices require physical possession of the device for most access, and they require a PIN or passcode to be set in order to enable Touch ID or Face ID. The PIN or passcode are required on every reboot, as well as for performing actions that impact overall security such as installing a software update or allowing backups. Touch ID and Face ID are then used to allow access in lieu of re-entering the PIN or passcode.

With Touch ID, Apple keeps all biometric information local, and isolated into their 'secure enclave' which is basically a separate computer inside the CPU. All security actions now go through this secure enclave, including decryption of storage and use of cryptography. The software of this enclave is isolated so that even malware that otherwise hijacks the phone must still abide by the rules, and is prevented from seeing the biometric information. Apple has stated that with Face ID, their silicon design team that placed the "neural engine" facial recognition processing is behind this secure enclave to keep your biometrics private and safe.

While we won't have the ability to use Face ID until the iPhone X is released in November, there are things we know so far. Unlike the facial recognition systems used by other devices in the past, the Face ID system includes a dot projector and IR camera. By analyzing the picture of the projected dots, the facial recognition system includes a 3D analysis component that will defeat simple attacks using cameras. Apple has supposedly worked with professional mask makers to train the system to resist 3D models of a face as well.

The system does eye tracking as well--it requires your eyes to be open and looking at the device to unlock. The iPhone X product page mentions that the device will use your focus to keep the screen from sleeping while you read and to reduce the volume of alarms and notifications, implying a periodic or continuous check while the device is in use. There were previous incidents where the phone was unlocked using the owner's fingerprint while asleep or otherwise incapacitated. This eye tracking check should defeat that sort of attack.

As mentioned previously, Apple has embedded Face ID into their custom CPU design. This hopefully will result in a faster and more power-efficient facial recognition design when compared to other vendors. The protection of the facial data behind the secure enclave means that it can't be exposed to software on the device or to the cloud, even in the event of a system software compromise.

Apple estimated the false positive rate of the Touch ID sensor as 1:50,000. They've estimated that rate to be 1:1,000,000 for Face ID. This implies a biometric system that both has more data to detect potential attacks, and one which could, in the future, be reliably used to identify a user from a group.

Apple reduced the number of allowed failures from five with Touch ID, to two with Face ID. This means that they likely also expect far fewer false negatives/lockouts. This is supposedly the cause of the first unit "failing" during their event; enough people handled the device during the setup of the event that it had suspended facial recognition and was requiring PIN entry.

Apple has also added a button combination explicitly to disable facial recognition, requiring a passcode to unlock the device. This can be used in cases where the user is afraid they may have their device stolen or legally compelled by law enforcement or border patrol. This will likely also be useful for people who live or are travelling in areas where passwords and biometrics have different legal protections.

We'll need to wait until November before consumers actually know how good or bad the experience of Face ID is. Expectations vary from the feature (and thus the iPhone X) being a failure, to Apple's implementation being the new gold standard for facial recognition on phones.

What we do know is that Apple's approach of custom components and integration across multiple hardware and software teams will preclude other handset makers of duplicating the technology with off-the-shelf components. Instead, it's likely we would see diversity of implementations as well as investigation into other potential biometrics and sensors.

Typically, fingerprint recognition requires the user to place their finger on the sensor in order for the biometric to work, while facial recognition can work without the user taking any sort of action. While this is more transparent for authentication, it does remove the ability to leverage that action to implicitly or explicitly indicate consent. For access to your bank account, Face ID automatically unlocking the app is appropriate. To approve a money transfer, looking at your phone isn't sufficient--the application would also need to prompt and verify the user's consent.

There are emerging standards like Web Authentication (based on the work of the FIDO Alliance) that leverage hardware capabilities to allow secure, privacy-preserving authentication to remote systems. Unfortunately, since Apple policy is to not comment on future functionality, we don't know if they have any plans to support such standards.

From what we know about Apple's upcoming Face ID system, it appears to have the properties desired for successful biometric authentication:

• The system relies on multiple factors
• It has a fallback to a PIN if authentication fails
• The user can opt out of facial recognition both temporarily and permanently
• Apple has described a design meant to be both accurate and resistant to known attack vectors
• The system is designed to protect the privacy of the user and the facial metrics used for authentication

Because the facial recognition system is being marketed as a selling point for security and convenience, this likely means it'll get wide adoption if it works as well as advertised. We hope Apple adopts standards like Web Authentication in the future. This will allow the strong authentication and privacy of Face ID and Touch ID to extend off of the phone to the larger identity ecosystem.

-------

Stay up-to-date on important identity security news and requirements, subscribe to our weekly blog.