PODCAST: Does the iPhone’s facial recognition technology go too far ?

By Byron V. Acohido

The release of the new iPhone X (don’t call it ‘X,’ say ‘ten’or iPhone X), with its facial identification activation feature, has sparked interest in the latest developments in biometric security.

I spoke with Corey Nachreiner, chief technology officer of WatchGuard Technology, about the advantages – and risks – involved in using biometric identifiers with digital devices.

The next steps in authentication

Apple is “really going whole hog” into facial recognition for unlocking a phone, in part because they don’t want buttons, Nachreiner told me. The tech giant removed the home button/fingerprint sensor, meaning users must use facial identification to unlock a phone if they’re not using pass codes.

While aesthetic design was probably a major factor, “there is an argument that facial recognition is easier, too,” he says. “The one big strength to biometrics is ease.”

Authentication can be a weak link in cybersecurity if a password isn’t strong.

“How do you get people that strong authentication without a lot of work?  Well, it’s easy to put your finger on something,” Nachreiner says.  “It’s even easier just to look at your phone.  I think a lot of it is just trying to make strong authentication a little bit easier.”

Taking the ball and running with it

Fingerprint technology and facial scans have evolved in the last five years.

“Samsung had very basic facial recognition that you could use to unlock your phone, but the problem is that technology was based on a 2-D camera, (which) had a lot of flaws,” he says. Someone could show a photo to the Samsung phone and unlock it.

Apple has updated the technology to create a 3-D model, “projecting a bunch of dots on your face, and that’s actually giving them a 3-D model, a 3-D map of your face.  So their facial recognition is not just a picture of your face, it’s a model of your face.”

 There’s always a catch

A unique 3-D identifier is a valuable data set, which means some bad guy somewhere is figuring out a way to steal and use it.

“That’s one of the worrying things,” Nachreiner says. “You can imagine if that data, to identify who you are, gets into the wrong hands … it may be used to create ways to spoof other systems.”

Consumers should be aware of how 3-D images of their faces are being stored. Are companies storing them in the cloud? Can anyone access them?

Apple says the image is on a secure enclave that’s only on your phone.

“They are actually securing it relatively well, but in the past, hackers have done things like decrypt the secure enclave’s firmware,” he says. “In the future, you do have to worry about someone perhaps getting that data, that 3-D model of your face,” then using the image to steal your identity.

Looking for a shield

More digital data is being stored in the cloud, and cybersecurity companies haven’t figured out how to securely lock everything down yet.

“If your data is in the cloud, the way you interact with that data is, you authenticate,” Nachreiner says. As more companies use biometrics as an authentication factor to access cloud storage; “that’s why this 3-D model of your face on the phone could be so valuable.”

“One other issue of facial recognition is there are other ways that I could rebuild a 3-D model of your face (through) something called photogrammetry,” he says. “If I go on social media and you happen to have a profile picture … and a few other angles of your face, I can actually use software to build a 3-D model.”

Researchers have taken a 3-D model, printed it and tricked 3-D systems.  “Unlike a fingerprint, which you kind of need special gear to see, photographs are out there publicly,” Nachreiner says. For a deeper dive, listen to the accompanying podcast.

.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone