FACE ID: Another reminder of the paradox of security

Because convenience and safety don’t go together. By Marcus Wong

Portrait of Tammy Strobel

Because convenience and safety don’t go together.

My Reading Room

Perhaps one of the biggest changes Apple made with the iPhone X was the introduction of Face ID. Instead of scanning a fingerprint (or two), now you use your entire face to gain access, as the new TrueDepth camera on the iPhone X will “project and analyze more than 30,000 invisible dots to create a precise depth map of your face,” which is then used to create a series of 2D images and depth maps that are safely stored in what Apple calls the Secure Enclave on your phone.

As with Touch ID, you can also set up Face ID to approve purchases or unlock encrypted data on the iPhone X with “just a glance”. It’s meant to be faster and more secure than Touch ID, but it’s also arguably more inconvenient. After all, having to raise the phone the recommended 25 to 50cm in front of you to unlock it means inconspicuously unlocking the iPhone, under the table during a conversation for example, is no longer possible.

This reliance on optical-based recognition is probably why some users have reported issues getting proper recognition under extremely bright sunlight. Familial similarities have also proven difficult for the system to distinguish, as motherson pairs and twins have fooled the system. Evidently, the system isn’t as perfect as Apple would like us to believe.

Experts are also divided on the implications of a subset of this Face ID data being made available to developers. Some believe that Apple will eventually release certain amounts of Face ID data to developers to allow them to incorporate the feature into their apps, and are worried about how much security these developers can provide once the data is on their own servers. Others worry about how well Apple can actually police the legion of developers they now have globally.

But this isn’t new. Fingerprint scanners on phones have been routinely been hacked since launch, and even Samsung’s Iris Scanner on the Galaxy S8 was also hacked in due time. Basically, the endless cat-andmouse game between security experts and their foils will continue regardless of what “secure” technology comes out next.

Mobile phone makers will continue to push new secure features for their phones because they want to convince you to buy them. Yet, how secure can a device be when it’s being transported around to as many physical locations, and exposed to as many public and private networks on a daily basis, as our phones are?

The very nature of security means that access is not meant to be easy. If you truly want to keep any data secure, you’d be better off storing it somewhere else. Offline, encrypted, and under lock and key preferably. Your mobile phone isn’t the most secure device in the world, and it’s not meant to be. There’s just no convenience when it comes to security.


More: secure