Security: is Face ID really more secure than Touch ID? The practical view.
This is another one of those places where security geeks and probably IT people get wet for all the wrong reasons.
On paper Face ID is totally more secure than Touch ID. Touch ID estimates only a 1 in 50000 chance of a false positive, whereas Face ID is supposed to be more like 1 in a million. That is like a 20 times increase. How can that possibly go wrong?
Well, as it turns out, depending on how those stats were arrived at, potentially quite easily.
The difference is in what I'll call "locality". With Touch ID, those 1 in 50k people are more or less distributed equally all over the globe. So, those odds, 1 in 50k basically apply to anyone who picks up your phone. Your mother, your brother, your identical twin, the guy down the street, your doctor. Everyone.
That is because we all have unique fingerprints which aren't more or less similar based on familial bonds, geography, diet or really anything we've identified. Fingerprints are pretty darn random. So, unless you have a complex fingerprint database and know what features and similarities are more or less likely to fool the sensor, you're not likely to intentionally exploit this, except by grabbing tens of thousands of random people and having them each attempt to spoof the sensor. And if you can organize this... then why not 1 million people? I mean, it is an order of magnitude and a bit larger in scale... but brute forcing with 50k people's finger prints is already ludicrous.
So, really, we're concerned primarily with someone stealing your phone and it just so happening that their fingerprints are similar enough to yours that they can not only unlock it, but unlock it somewhat consistently. Because, seriously, just because I can theoretically unlock your phone, it doesn't mean I can do it every time. And since I have no reason to believe my fingerprint is similar to yours, I have no reason to repeatedly attempt it after a few failures.
Face ID may be 1 in a million odds of cracking it, but as the reviews come in we start to see a problem emerging; twins, or even very similar looking siblings in some cases are able to unlock phones. In other words, the technical odds may be 1 in a million, but it seems much more likely that one or more of the those "1 in a millions" are geographically in the same area as you. And perhaps even regularly physically close to your phone. It also means that if I know whose phone I stole I also probably have an idea of whose face might unlock it.
In fact, why not take emerging tech like dual lens cameras and use the depth information to help us identify potential matches? Now, even though that 1 in a million may be higher than 1 in 50k, if I stole your camera and was able to map your face with my theoretical app, I would have a MUCH easier time of finding one of those 1 in a millions to help me unlock your phone.
On top of that, it also seems like it would be a lot easier if you found a potential match to use their face unknowingly to unlock the phone. Or hey, even the person whose phone you've stolen.
Here is a theoretical trick. I steal your phone. I pop it into a different 3rd party case. I catch you off guard (perhaps before you even notice your phone has been stolen), and say I'm doing a social experiment to see who will take a selfie with me. I hold up your phone, in my phone case and use your face to unlock it.
Oh, how about another one; I'm a tech journalist, I have an iPhone X and I'm testing how secure Face ID is. A random one of my colleagues configured it to their face so I don't even know where to start. Can you please look at this phone and see if your face unlocks it? We have prizes if you manage to "win".
So, while it reduces the odds of a random person unlocking some other random persons phone, I'm not sure the odds are tangibly better. First of all, if 1 in 50k feels low... I'm not sure a 20 times increase is really that meaningful.
Secondly, I've seen nothing to indicate that those odds don't ignore distribution related concerns. Those 1 in 50k fingerprint false positives should be randomly distributed. But, it seems like the rate of false positives for Touch ID should show a bias based on things like age, gender, build, and ethnicity. So, are those 1 in a million odds still that high in a community with similar ethnicity, age and average weight? Or is adjusted so that it is just a true 1 in a million?
Are the odds still 1 in a million at school? Where my friends who want to steal my phone are all the same age? What if my school is also largely populated by people of the same ethnicity?
I'll have to dig around. Would be interesting to see if there is any technical information on how they arrived at those stats.
Anyway... while I did spend an article trashing the iPhone X's Face ID more or less, my point isn't to continue trashing it further. It is really more to shine a light on how not all statistics are created equal. In this case, contrasting the stats for Face ID and Touch ID were a good representation. Primarily because I was thinking about the functional differences between the tech when I thought to write about this.
Also, while my point is largely that Face ID is probably not as secure in practice relative to Touch ID as Apple claims... it is probably at the least as secure in general, if not more. People tend to read into stats alone and it can lead to poor decisions. Just as with other security related decisions people tend to make.
If you haven't noticed, a big bone of contention for me with most things is when people use metrics to justify things without ever trying to understand whether or not those metrics are actually relevant.
Metrics allow things to be measured and measured in relation to each other. But just because X scores 20 times better than Y on a certain metric, it doesn't mean X is 20 times better than Y. You've got to verify that the metric used is accurate within the scope of the problem you're trying to solve and determine how important the thing that metric actually measures means to you. I don't think anyone would argue that the iPhone X is 20 times better than the iPhone 8 simply on the basis that Face ID is 20 times less likely to yield a false positive than Touch ID.
And of course, that 1 in a million doesn't have sufficient context from any reports I read to indicate what factors might limit it's effectiveness. We tend to hang out with people of similar age and gender and live in communities (where practical) of people of the same ethnicity, language and beliefs.
The same sorts of arguments can of course be made of say, Touch ID vs. a Pin. We can certainly come up with situations where a PIN is more secure than even a fingerprint even though a 4 digit PIN as is most common has fewer permutations than that 1 in 50k. For instance, if someone stole my phone while I was sleeping and it was only protected by fingerprint, if my hand was exposed my phone could be unlocked by fingerprint without my knowledge whereas a PIN would have posed a legitimate barrier despite being technically less secure.
On paper Face ID is totally more secure than Touch ID. Touch ID estimates only a 1 in 50000 chance of a false positive, whereas Face ID is supposed to be more like 1 in a million. That is like a 20 times increase. How can that possibly go wrong?
Well, as it turns out, depending on how those stats were arrived at, potentially quite easily.
The difference is in what I'll call "locality". With Touch ID, those 1 in 50k people are more or less distributed equally all over the globe. So, those odds, 1 in 50k basically apply to anyone who picks up your phone. Your mother, your brother, your identical twin, the guy down the street, your doctor. Everyone.
That is because we all have unique fingerprints which aren't more or less similar based on familial bonds, geography, diet or really anything we've identified. Fingerprints are pretty darn random. So, unless you have a complex fingerprint database and know what features and similarities are more or less likely to fool the sensor, you're not likely to intentionally exploit this, except by grabbing tens of thousands of random people and having them each attempt to spoof the sensor. And if you can organize this... then why not 1 million people? I mean, it is an order of magnitude and a bit larger in scale... but brute forcing with 50k people's finger prints is already ludicrous.
So, really, we're concerned primarily with someone stealing your phone and it just so happening that their fingerprints are similar enough to yours that they can not only unlock it, but unlock it somewhat consistently. Because, seriously, just because I can theoretically unlock your phone, it doesn't mean I can do it every time. And since I have no reason to believe my fingerprint is similar to yours, I have no reason to repeatedly attempt it after a few failures.
Face ID may be 1 in a million odds of cracking it, but as the reviews come in we start to see a problem emerging; twins, or even very similar looking siblings in some cases are able to unlock phones. In other words, the technical odds may be 1 in a million, but it seems much more likely that one or more of the those "1 in a millions" are geographically in the same area as you. And perhaps even regularly physically close to your phone. It also means that if I know whose phone I stole I also probably have an idea of whose face might unlock it.
In fact, why not take emerging tech like dual lens cameras and use the depth information to help us identify potential matches? Now, even though that 1 in a million may be higher than 1 in 50k, if I stole your camera and was able to map your face with my theoretical app, I would have a MUCH easier time of finding one of those 1 in a millions to help me unlock your phone.
On top of that, it also seems like it would be a lot easier if you found a potential match to use their face unknowingly to unlock the phone. Or hey, even the person whose phone you've stolen.
Here is a theoretical trick. I steal your phone. I pop it into a different 3rd party case. I catch you off guard (perhaps before you even notice your phone has been stolen), and say I'm doing a social experiment to see who will take a selfie with me. I hold up your phone, in my phone case and use your face to unlock it.
Oh, how about another one; I'm a tech journalist, I have an iPhone X and I'm testing how secure Face ID is. A random one of my colleagues configured it to their face so I don't even know where to start. Can you please look at this phone and see if your face unlocks it? We have prizes if you manage to "win".
So, while it reduces the odds of a random person unlocking some other random persons phone, I'm not sure the odds are tangibly better. First of all, if 1 in 50k feels low... I'm not sure a 20 times increase is really that meaningful.
Secondly, I've seen nothing to indicate that those odds don't ignore distribution related concerns. Those 1 in 50k fingerprint false positives should be randomly distributed. But, it seems like the rate of false positives for Touch ID should show a bias based on things like age, gender, build, and ethnicity. So, are those 1 in a million odds still that high in a community with similar ethnicity, age and average weight? Or is adjusted so that it is just a true 1 in a million?
Are the odds still 1 in a million at school? Where my friends who want to steal my phone are all the same age? What if my school is also largely populated by people of the same ethnicity?
I'll have to dig around. Would be interesting to see if there is any technical information on how they arrived at those stats.
Anyway... while I did spend an article trashing the iPhone X's Face ID more or less, my point isn't to continue trashing it further. It is really more to shine a light on how not all statistics are created equal. In this case, contrasting the stats for Face ID and Touch ID were a good representation. Primarily because I was thinking about the functional differences between the tech when I thought to write about this.
Also, while my point is largely that Face ID is probably not as secure in practice relative to Touch ID as Apple claims... it is probably at the least as secure in general, if not more. People tend to read into stats alone and it can lead to poor decisions. Just as with other security related decisions people tend to make.
If you haven't noticed, a big bone of contention for me with most things is when people use metrics to justify things without ever trying to understand whether or not those metrics are actually relevant.
Metrics allow things to be measured and measured in relation to each other. But just because X scores 20 times better than Y on a certain metric, it doesn't mean X is 20 times better than Y. You've got to verify that the metric used is accurate within the scope of the problem you're trying to solve and determine how important the thing that metric actually measures means to you. I don't think anyone would argue that the iPhone X is 20 times better than the iPhone 8 simply on the basis that Face ID is 20 times less likely to yield a false positive than Touch ID.
And of course, that 1 in a million doesn't have sufficient context from any reports I read to indicate what factors might limit it's effectiveness. We tend to hang out with people of similar age and gender and live in communities (where practical) of people of the same ethnicity, language and beliefs.
The same sorts of arguments can of course be made of say, Touch ID vs. a Pin. We can certainly come up with situations where a PIN is more secure than even a fingerprint even though a 4 digit PIN as is most common has fewer permutations than that 1 in 50k. For instance, if someone stole my phone while I was sleeping and it was only protected by fingerprint, if my hand was exposed my phone could be unlocked by fingerprint without my knowledge whereas a PIN would have posed a legitimate barrier despite being technically less secure.
Comments
Post a Comment