> ...when you do use the biometric options we're about to get into, you're still going to need [a pin] on your phone anyway. For example, every time you hard-reboot an iPhone with Touch ID you need to enter the PIN<p>This is what has been missing from every discussion of this issue that I've seen so far.<p>The face scan isn't "insecure" even if you're worried about border searches. Just turn off your phone when you get in the security line! Pin will be required on start.<p>Pin is also required when plugging into a new computer.<p>The rest of the time when you're going about your daily life, and are not worried about a government agent spoofing your face or pointing the phone at your face, you can use this nice feature.<p>Most people will be _less_ secure without it. They don't want to punch a pin every time they want to tap their phone to pay for coffee. So without the face scan feature, they will opt for no security at all.<p>The reboot/plug-in pin requirements change the discussion quite a bit, but are usually ignored, seemingly so bloggers can state the obvious "but someone can spoof your face!"
I really liked this write-up because it focused on the <i>practicality</i> of the various security mechanisms. Most articles I see usually have a blanket statement like "All biometric security mechanisms are bad!". I think this article does a good job comparing the various logins and describing the pros and cons for different people. Specifically, I appreciate the author calling out when people bring up the "What if" edge-cases, where the correct response is you likely have much bigger problems at that point than the security level of your phone.
Re: the pushback the author got on Twitter; I believe in skepticism towards corporations and marketing claims, but the level of cynicism online towards any new tech idea or product seems a bit out of hand. There's a certain trend, on Twitter especially, of people racing to prove they're either more woke or smarter than the teams of people behind things that are yet to even be released. I mean a "wait and see" attitude wrt the actual effectiveness is good, but I don't get why we need to concoct extreme hypotheticals here suggesting Apple is somehow irresponsible for adding an optional feature.
Given that the authentication methods are "differently secure," wouldn't it be good if we were offered the option to combine them and require both for unlock? I would love to use Face ID + PIN or Touch ID + PIN for better security.
It would be interesting if we could specify a particular face pattern to unlock the phone. Imagine you set up your phone to open only if you smile, now if someone picks up your phone and try to unlock it by pointing it at your face, not smiling would be easier than closing your eyes or looking away. Not even mentioning the health benefit of just smiling :)
This is a really well-written, considered view of the trade-offs for using different options for security. I learned a lot from reading, and the plain language discussion of the topic allows most any reader to better understand the trade-offs present for each option.<p>Much appreciated to the original author - it takes a good deal of time and effort to write something that lucid. Thanks.
> a thread emerged about abusive spouses. Now if I'm honest, I didn't see that angle coming and it made me curious - what <i>is</i> the angle? I mean how does Face ID pose a greater threat to victims of domestic violence than the previous auth models?<p>If someone has the PIN and the phone, they can get in without the person (without their biometrics.) Fingerprints and Face recognition increase the chances that an abusive spouse needs the other person <i>every time</i> they access the phone.<p>Parents who have their childrens passwords are in the same situation -- they can't snoop on their kids biometrically secured phone (like reading a kids diary in the old days.) They have to have the kids open the phone, which means the kids know that it's happening.
Would be interesting to enable voice authentication contemporaneous with face scanning to make sure the lipreading matched the utterance matches the voiceprint matches the expected face. Bonus points that a vocal channel could be used to detect duress (especially if accompanied by, say, raised eyebrows) and either require further authentication (passphrase entry) or a "false unlock" to reveal only a nearly factory fresh app and data underlying. Could also potentially send a notification to friends that your phone had just been unlocked under duress. Bonus points for in parallel hard-scrubbing the underlying true data while displaying the false boring phone interface.
Near-field worn devices.<p><a href="http://nfcring.com" rel="nofollow">http://nfcring.com</a> is an example of what I have in mind.<p>What I'd like to see is this tied into an identity system, such that the ring (or other very-hard-to-misplace, but replaceable and discardable) token is not <i>itself</i> an identity, but rather an access token to an identity store which can present any given identity to any given system.<p>That might be a <i>consistent</i> identity across multiple sessions or <i>unique</i> identities on each session. The identity might be tied to some central certifying agency (e.g., a motor vehicles department or national pensions fund), or not.<p>There are several elements of this which I'd like to see developed further, including how keys might be reconstructed or recovered using a quorum system of trusted sources (divide your key into pieces, share those amongst friends, family, or some local authority, such that key loss need not equal data loss), and possibly via law enforcement.<p>I'm also looking at the possibility of a public ledger system which might allow for both workfactor requirements <i>and</i> public disclosure of keys being revealed. This may be a viable application of crypto, though I'm not entirely sure of this.<p>(The feature might also be optional -- you could take the risk of key loss, or allow for recovery. But the present situation with PKI of losing access to <i>all</i> previously-encrypted data in the event of key loss would be mitigated.)<p>There's also the requirement for devices to have support for near-field readers. I'm told this is alreadly largely a reality, though my reading of specs for various mobile devices suggests otherwise.<p>The biggest challenges through all of this are not the technology itself, but the adoption, requirement, and enforcement of standards, including availability of tokens at low or no end-user price. Trust of the information ecosystem overall might be a suitable incentive for this to happen.
It appears that FaceId only supports a single face (unlike TouchId, which supports multiple fingers).<p>Maybe this use case isn't common, but my wife frequently needs access to my phone. Usually while driving, to change GPS routing, or playlist, or respond to SMS. With TouchId, she can do so without my PIN. With FaceId, she needs my PIN.<p>This strikes me as both less secure and quite annoying. Now, I have to repeat my PIN out loud while she types it into the device. Or, force her to memorize it (in addition to her own PIN, and I have to remember hers for the reverse situation).
For me it's not so much the paranoia or the degree of security (which is an arguable point in itself) but the commodity of it. Touch ID lets me unlock my devices without having to re-position my upper body or move them in (practically) any way, and Face ID feels awkward (I'm typing this on the device that is likely an exception to that - a Microsoft Surface Pro - and Windows Hello's face recognition works beautifully, but I am _always_ facing it when I need it to unlock, so...)
Honestly, the only downside I can see vs. TouchID is that you can in theory point the phone at the person and unlock it. However this is balanced out by not working while unconcious.<p>PINs as discused are not directly comparable.
What I want to know is what face data is shared with 3rd parties like snapchat. That seems like the bigger threat, and no one is really discussing that.
What if users were able to disable FaceID by configuring blinking x times or by having their eyes closed for a certain time period? Maybe requiring FaceID + a different PIN after recognizing that locking over the lock.
what about FaceID + pin? that would mean someone would have to know your pin as well as have access to your face.<p>you also wouldn't have to look so paranoid while entering the pin. and pin by itself would be of little value.
Stolen iPhones should be worthless.<p>Apple need to create a system where stolen phones can be reported to them, Apple can then contact the owner/verify they are stolen. And then add them to a stolen list and disable calling/apps on those phones. And display an overlay on the screen THIS PHONE IS STOLEN.<p>Every iphone would come with an validate phone feature that is accessible even when locked that can authenticate the iPhone for anyone thinking of buying it.<p>The potential buyer can check if the iPhone is stolen by using the feature that is allowed to connect to the internet and validate the phone.<p>They need to make it where stolen iPhones are worthless so when you are getting mugged criminals won't even want it.<p>Obviously have an option setup where you can transfer ownership of your phone. Maybe with a 7 day waiting period.
The complete business model is taking the p*ss imho. I am seeing more than a number of people reverting to simple €20 nokias for basic telephone + sms usage on top of a gadget / secondary device for consumption or mobile business.
Nice article. However:<p>> It's alarming not just because the number is so low, but because Dropbox holds such valuable information for so many people.<p>I'd suggest that Dropbox users somewhat self select for those not as concerned about security as others. And more concerned about availability.<p>Dropbox does not encrypt your data server side (or at the very least, can easily decrypt it). And they have proponents of warrantless surveillance on their board:<p><a href="http://www.drop-dropbox.com" rel="nofollow">http://www.drop-dropbox.com</a>
Repeat after me.<p>iPhone X is less secure than the iPhone 8.<p>Why?<p>iPhone X: Chances of someone unlocking while you are asleep is 1 in 1<p>iPhone 8: Chances of someone unlocking while you are asleep is 1 in 200,000<p>I certainly prefer the latter odds.
The only secure thing is a thing that only you know and only you can verify even if you are freely observed.<p>That is, shared secrets between you and your trusted device (meaning passwords) are the singular thing that provide authentication securely. Your password cannot be extracted from your head (yet).<p>That being said, if your risks are mundane then the benefits of biometric authentication far outweigh constant password input, not to mention that constantly entering your password exposes you to other side-channel attacks.<p>Biometrics for simple access, passwords for changes, modifies and access to sensitive information.
For me it's a simple question of cost vs. reward: do I care enough about the security of whatever data is stored with a company, that I'm willing to give the company personal information, when their terms of service almost assuredly give them complete license with it?<p>This, of course, starts with the question: do I even want to put this in the cloud to begin with?<p>Edit: I was talking about two factor auth.
This article doesn't really say much of anything. Troy pretty much just summarized a few slides from the Apple event and then ended the article saying he was going to buy an iPhone X and is interested to see how Face ID turns out. I really gained nothing from reading this.
There is an opposite use case which will make me consider getting an iPhone X for a long time.<p>Every so often, I leave my phone at home and I need my wife to get some info from it. Or my phone runs out of batteries and my wife's phone is there, and I use to to make a phone call.<p>With Face ID, these possibilities go away.
1 in 1 million FAR (false acceptance rate) vs 1 in 50,000 is pretty misleading (as is Apple tradition).<p>Do you think someone trying to hack into your phone would shoot 1 million <i>random</i> pictures/3D profiles made from Facebook pictures at your phone, or do you think it's far more likely they will already start with <i>your</i> profile made from online pictures?<p>That will likely make the success rate even higher than with fingerprints, as it's significantly easier to get someone's photos than it is to get their fingerprints.<p>> Laughs were had, jokes were made but the underlying message was that Face ID isn't foolproof. Just like Touch ID. And PINs.<p>No, not "just like". There is a huge difference between most fingerprint authentication mechanisms and most face unlock mechanisms (at least so far). Most of them could be tricked with a 2D picture - including Samsung's latest. It's very annoying to see such a statement from someone like Troy Hunt. Plus, I have a hunch he'll be eating many of the words he wrote in a few weeks when Face ID will prove much easier to hack than Apple made everyone believe it will be.