Subtlety is the Future of Biometric Authentication

Biometric security standards have been evolving ever since the fingerprint scanner came into focus with Apple’s iPhone 5S. Adoption was rapid and the fingerprint scanner is almost ubiquitous now, found on flagship models from OEMs as well as entry level models. However, biometric authentication is evolving to a stage where it becomes truly transparent.

Source: Macworld

Biometric Authentication Over the Years

Ever since phones became ‘smart’, they transformed into digital vaults, containing everything from bank account details, emails, pictures (in some cases questionable ones) and other personal information. One of the first modes of security was the pass code, that is still found on many phones, Android took it a step further by giving users an option to draw a security pattern and then came biometric authentication. From the (now humble) fingerprint scanner to 2D face unlock, iris scanning and voice unlock.

For many years the fingerprint scanner was the reigning champion, used for unlocking phones, verifying purchases and everything in between. Other security measures such as face unlock, and iris scanning were still present on many flagship smartphones, but the fingerprint scanner was viewed as the easiest and the most secure way to unlock phones. Face unlock and iris scanning were seen as gimmicky, since factors like bad lighting and different angles caused them to fail, frustrating users who would instantly switch to the fingerprint scanner as their preferred mode of authentication.

The Defining Moment for Biometric Authentication

With the launch of the iPhone X, Apple ditched the fingerprint scanner and launched Face ID which is touted as being more secure than Touch ID. Apple’s website, says that “The probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID)”. Face ID was a revolution for biometric authentication, using a mode of authentication that was as unique as your fingerprint, your face. Unlike previous attempts at face authentication which relied on a 2D map of your face, Face ID creates a 3D map of the user’s face by projecting 30,000 invisible (read infrared) dots which is inherently more secure. In addition to this, problems like bad lighting were mitigated, though extreme angles still cause it to fail.

What Face ID did was to enhance the user experience by removing physical interaction. The user had no mandate to place his/her hand on a particular button or in a particular area, all they had to do was look at the phone and swipe up. Apple’s enhanced focus on security also allayed fears that users might have had about Face ID.

Face ID some might say is almost magical, since users never felt that there was a step they had to take to unlock their phone, of course that sense of magic does disappear when the phone vibrates vehemently indicating that your face has not been recognized and a pass code is required. Face ID on the iPhone X is also a beat slower than the current crop of fingerprint scanners, though reports suggest that the second generation of Face ID on the iPhone XS and XS Max is much faster.

This is of course, the first concrete step towards a better and indiscernible biometric system and many OEMs are catching up with Apple, debuting their own versions of Face ID.

The Danger of Convenience

While biometric authentication is no doubt convenient, there have been many cases of it being used against the very individuals it is supposed to protect. One notable instance being law enforcement forcing subjects to unlock phones with their fingerprint and more recently with their face.

In addition to the above, there are also privacy concerns that have been raised especially with respect to Face ID. Face ID creates a detailed 3D map of your face and privacy advocates have been worried about the implications of this availability to developers and how they could exploit this data. Developers could use this data to gauge real time sentiment (understand how a user is feeling during app usage) and serve ads accordingly and even be able to predict moods of a user throughout the day. Apple has made assurances that this data is secure and apps that use this data must go through a stringent review process, however, lapses can occur with users being totally unaware. One approach to tackling this issue would be to implement frequent mandatory hygiene checks for apps that use Face ID data.

Where Can Biometric Authentication Go From Here?

The next step towards enhancing the security of biometric authentication would be for OEMs to start exploring means by which biometric authentication systems would detect anomalies in facial expressions such as fear or anger. Indicators such as furrowed eyebrows, rapid dilation and constriction of the pupils could serve to lockdown the device with multiple security overrides required before the device became usable again.

With wearables in play (smartwatch shipments grew 37% YoY in Q2 2018), the device could also factor in other indicators such as elevated heart rate and perspiration to understand that the user is under a high level of stress.

Biometric authentication systems might evolve to a place wherein the phone could unlock based on the user picking it up. To make this truly secure, data from the gyroscope, accelerometer, Face ID data and wearable data amongst others could be tapped into (more about sensor fusion here). This would also raise the bar considerably, since an attacker trying to breach a device would not be able to bypass security data gleaned from different sources on the device.

Added security however, comes at the cost of convenience. There could be situations where the phone erroneously refuses to unlock, deeming the user to be under stress. To strike a balance, phones must combine AI, machine learning capabilities and sensor data to enable it to be watchful if there is a sharp deviation from regular user behaviour. Rather than going into full lockdown, the user could also designate certain applications (banking apps, password vaults) that would revoke access immediately.

Biometric authentication methods still need to find the right blend of safety and security while still being convenient. Until then we can hope that this quote from Michael Meade, “A false sense of security is the only kind there is”, does not ring true for much longer.