In Defense of FaceID

Rarely ever did I get as much angry feedback on an interview I gave to a local tabloid as in 2013, when Apple introduced TouchID on the iPhone 5S. Back then, I argued that the introduction of a biometric mechanism, even a potentially flawed one would still beat weak passcodes such as 1234 often encountered in the wild at the time, and until this day.

Fast forward: Just days ago, on September 12th, Apple introduced their 10th-anniversary release of the iPhone, the iPhone X. One of the critical features of the new model is the lack of TouchID and the introduction of a new biometric security measure, a neural network-based facial recognition technology called FaceID that scans your face and unlocks your phone if it comes the conclusion that you are, indeed, you.

At this point, so prior the release of the iPhone X, Apple has lost the status of being a technological leader regarding smartphones. The current top model, the iPhone 7 Plus, can — to just mention one example — barely offer a Full HD display while the competitors like Samsung or Huawei sport much higher resolution to garner attention from potential customers. The mocking commentary Apple received while trying to sell the removal of the headphone jack in this iteration of the iPhone as “courageous” was undoubtedly justified in that regard. But it is a fact that FaceID, or much more the processor that enables it, is Apple’s return to a more innovative and, yes, even courageous position in the market.

To compare FaceID with the lackluster efforts of Samsung regarding facial recognition is, technologically, nonsense. In many ways, Samsung poisoned the waters for the entire technology of facial recognition: An implementation that can be easily beaten using Facebook profile pictures or Instagram selfies is most certainly a fun thing to have, but not more than that. FaceID, on the other side, works with a way more sophisticated and complex technical implementation to identify the legitimate owner of a device. Further, the entire topic of Apple’s Secure Enclave, a mostly separated, dedicated processor setup for TouchID and the new FaceID is underappreciated, despite being well worth some praise from a security architecture point of view.

It’s telling that the skepticism towards FaceID is just as blurry and undefined as some of the marketing texts that their advocates usually criticize. With an added dash of conspiracy theories: On Twitter, the opinion that FaceID might be a step towards collaboration with Law Enforcement and Government Agencies after Apple’s recent clash with the FBI is already being discussed. The implication is that LEO could just hold the device in front of a suspect’s face and go on snooping through their messages and calls. Not only would a similar statement already be correct for TouchID, but it also ignores iOS11’s new function of hitting the home (or side, in case of the iPhone X) button five times to entirely disable all biometric authentication measures until the valid passcode has been entered.

Talking about passcodes: Even though TouchID, FaceID and other potential future ways of unlocking a device are breakthroughs regarding usability, the option to just not use these technologies and stick with a classic password/passcode is an entirely legitimate option but is rarely considered a valid one. Which is remarkable, considering that similar criticism in regards to Microsoft’s Windows Hello is rarely ever heard.

No matter the first reactions: FaceID will absolutely be vulnerable to attacks. It is to be expected that the German CCC, as well as other researchers, will be dealing with the topic very soon, upon release at latest and that they will be presenting successful ways to circumvent FaceID within a very short amount of time. But it is unfair and naive to measure a solution to quickly unlock a device by a standard of it being impossible to circumvent. Neither passcodes nor biometry or any other currently available measure provides this level of sophistication. Much more important for the technology of FaceID will be convenience: Why can’t I unlock my phone when it’s laying on the table? Can I unlock it while driving a car? Could my evil twin unlock my phone using his face? (Apple responded to the last one: Yes, he could. People with evil twins should use a traditional passcode.)

For most users, the function is a step in the right direction was my verdict for Touch ID in 2013. A statement that has rung through for the most part in the four years that have passed. FaceID has the potential to transform user interaction with mobile devices once more — and it adds real-time facially animated emojis into the mix. If that combination is a recipe for success, only time can tell.

This article was originally published on September 14th on our company blog over at scip.ch. It was written by Stefan Friedli.