BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

iPhone X Facial Recognition: Security, Convenience And The User Experience

Forbes Technology Council
POST WRITTEN BY
Avi Turgeman

Most readers are probably aware of Apple's big reveal last month of its next-generation iPhone, with one of the primary talking points being how facial recognition is replacing the fingerprint scanner for secure authentication. Regardless of the glitch that took place during the product demo, this development will absolutely bring facial recognition into the mainstream.

Mobile applications will have to adapt to this new form of login authentication. In theory, it is more intuitive to take a photo than present a fingerprint. It's also more friendly, less disruptive and more accurate. In fact, it is estimated that the accuracy of the new Face ID will be 1 in a million when compared to 1 in 50,000 with Touch ID. (It is important to note that this number refers to the false accept rate, meaning the likelihood that an imposter will be able to fool the system. The false reject rate, an equal, if not more important measure, as will be discussed later in this article.) FaceID addresses liveness concerns with facial recognition by using 30,000 infrared dots that project on the face for mapping and to read the facial structure below the skin. Supposedly, it is “attention-aware” so that it will unlock the device only when the legitimate user is looking at it with his/her eyes open.

There has been a lot of controversy about this new feature since its release. What if someone wants to discreetly unlock their phone and check a message during a meeting? What if a person wants to make a bank payment while they are crossing the street? What if a person is sitting on the beach with sunglasses? What if it is nighttime? What about privacy issues?

These are all legitimate questions that have to be answered, and they will be answered by the public-at-large who will ultimately decide whether this feature is a convenience or an annoyance. Recognizing that the answer is probably not of the one-size-fits-all variety, companies like Samsung SDS are allowing users to make a secure choice. Nexsign, Samsung's FIDO-based biometric enterprise solution, is designed to protect users against many of today’s cyberattacks and vulnerabilities. Nexsign not only allows users to choose a modality (fingerprint, voice or face) but, more importantly, it offers a higher level of security by taking advantage of a PKI-based infrastructure, which uses public and private key cryptography. The biometric template and the private key are encrypted and stored in the OS of the customer device, where hackers can’t intercept them. The encrypted public key is sent to the FIDO server located behind the corporate firewall.

This is certainly a great way to secure the biometric aspect and to ensure the privacy and integrity of a transaction. However, as long as the biometric modality is used simply as a PIN alternative, such as Touch/Face ID, the security mechanism of the device continues to remain only as secure as the PIN. In other words, if a phone was stolen and an imposter was trying to log in, the biometric would not have to be used. In fact, an imposter can go directly to use the PIN without any attempts to use the biometric feature to log in. And considering that more than 10% of all bank accounts can be hacked with one guess, this is not security at all.

There's also the risk of account takeover, which occurs after login. According to Auriemma Group, account takeover attacks are among the fastest growing cybersecurity threats that we face today, up 280% from last year and likely driven by malware, social engineering and other techniques like phone hijacking. Those who argue that iOS devices are immune should be reminded of the XcodeGhost malware, which potentially affected 500 million users. Many of these techniques essentially piggyback on the authentication process, “getting to work” only after a user has properly authenticated themselves to the device. The only way to address this issue is with persistent authentication, which passively and automatically continuously verifies that a user is who he or she claims to be throughout an entire session and not just during the login process.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Companies like Synaptics, for instance, want to enable device manufacturers to invoke different biometric factors on an event-driven basis during a session. Its multi-factor fusion engine combines different modalities together in order to generate a single trust score in a persistent manner.

Today, behavioral biometrics is the only known way to achieve this without disrupting the user experience, which drives most product decisions in the consumer world. As Steve Jobs said, “You have to start with the customer experience and work backward to the technology.” And while that may be true -- and also the sort of thinking that has driven Apple’s success to date -- it is also true that, given the role that mobile devices play in our daily lives, there is more to consider. Finding the right balance is key for the next wave of devices. In the words of former Google CEO Eric Schmidt, “Identity will be the most valuable commodity for citizens in the future.”

The future is here.