> why do companies insist on getting this shit backwards?
They don't have it backwards, but they're also simplifying when they say it's your password. In the presentation they actually say specifically that there's a chance that someone else can unlock your phone (1 in 50'000 for fingerprint, and supposedly 1 in 1'000'000 for Face ID, given that you don't have a twin).
Reality is that it's somewhere in between. A fingerprint sensor or face reader will keep casual snoopers - and most people who find your phone on the street - out. That's all that matters for most people. It's not a username. It's at least moderately hard for someone to duplicate, and it's not something you'd actively share with someone. It's not as safe as a password, but Apple isn't trying to claim that either.
I think it's a good idea to avoid false dichotomy here. Biometrics is biometrics. It should be treated as distinct from passwords or usernames.
Watching someone key in a PIN and recording it, then swiping the phone is easier than building a 3D printed color model of someone's face. Not to mention that having the biometric unlock sitting on top of a PIN means that there are many fewer chances for the PIN to be observed.
Whether biometric access is a password or username is trying to force the wrong paradigm. Going back to first concepts, we had keys and we tried to make them hard to copy but not too inconvenient. The face is the key. No, there's no practical way to re-key this lock, but it's still a lock and key. But the door also has a deadbolt (PIN code) which has to be disengaged for the "face key" to function.
The username concept applies when you have multiple people using the same resource (and don't want to know or reveal whether any 2 people use the same password) -- which again doesn't apply to a single-user device.
Finally, all this combined with the quick "hard lock" of the device (5 taps of power button) gives me the impression of a very thorough approach to security.
> Watching someone key in a PIN and recording it, then swiping the phone is easier than building a 3D printed color model of someone's face. Not to mention that having the biometric unlock sitting on top of a PIN means that there are many fewer chances for the PIN to be observed.
With how cheap video surveillance is these days, any PIN that you've regularly entered on your phone in public is probably recorded on video somewhere.
So is your face, of course, but like you said that's much harder to reproduce.
> Watching someone key in a PIN and recording it, then swiping the phone is easier than building a 3D printed color model of someone's face
Right, but couldn't somebody just use my actual face? Steal my phone, hold it up to my face for a second to unlock it and then run off?
A really interesting thing to think about is what happens if somebody is in custody and is refusing to unlock their phone, but uses face authentication? Can the police just hold their phone up to their face and unlock the device that way or is there any protection from that in the law?
I thought something was mentioned about "active gaze" in the keynote? The phone detects if you're paying attention; it doesn't unlock if you have your eyes closed, it doesn't unlock if you aren't looking directly at it.
Should make it more difficult (though not impossible) to force an unlock by waving the phone in an unwilling person's face?
You only need to look at the phone for a brief moment. It's designed to quickly unlock. If you had to stare at the phone for 10 seconds it would be a frustrating experience.
Except that a regular pin pad lets anyone enter the pin. Your pin code can only be keyed in by 1:1000000 people [citation needed]. So no, your pin is not on your forehead. Your pin is an organic material with color and depth and movement that for all intents and purposes is your actual forehead.
The average opportunist thief won't be able to duplicate that key. The best that they can do is use your actual face, within a few feet from you, while you're staring directly at the phone in their hands.
Funny you should say that, here's a video of a guy accidentally unlocking a phone and using his apple pay by pointing it at him https://youtu.be/WYYvHb03Eog?t=1m27s
> building a 3D printed color model of someone's face.
A 3d rendering on a screen is probably enough. The device seems to infer 3D from motion, but would probably be fooled by a rendering or even a recording.
That makes all the interlocutors you had on video chat as potential ID thieves.
False. iPhone X has points(invisible) projected on your face from what depth is calculated. Same as xbox kinect i assume. So 3D rendering on flat display wont fool iphone.
It's been done one some laptops via Intel RealSense depth cams or similar hardware. Not sure if any other phones have featured this, though. The ones I've seen typically add the depth cam on the back for niche stuff like 3D scanning.
It wasn't that it failed to recognize, it was that it had restarted, and all iPhones require the passcode to unlock the very first time after restarting. (You can tell by the small text over the PIN pad in the video.)
My guess is that he didn't want to dwell on the issue, or didn't know the passcode.
Facial recognition is something humans are known to be better at than computers, and identical twins throw off humans all the time.
Even when computers surpass humans at this task (probably not that far off) they will likely have difficulty with identical twins because of how they do facial recognition. At the moment computers do it by identifying points that correspond to the geometry of the face, like nose, eyes, and cheeks. These are all features that would be similar between twins. Usually humans can differentiate twins by fatness, scar tissue, hair style, etc. Not something that can't be overcome, but also not something common with current approaches.
The FAR rate is quite misleading especially for facial recognition. FAR counts on the data being "random" for that 1:50,000 or 1:1 million to be true. But you can bet whoever is targeting you will build a 3D profile of your face out of all the pictures it can find on you online. I at least assume it won't be "easy" from the get go to bypass Apple's face unlock tech, like it was for the Galaxy S8 with a god damn 2D picture that we've been known for a decade that's an effective attack, but I also don't think it's impossible. Machine learning techniques will become advanced enough in a few years to build someone's 3D profile like that.
Plus, as the parent said on the issue of not being able to replace your face as you can your password, they can still target your face data stored on the phone.
Okay, but shouldn't developers make security easy? This makes introducing a sizable hole into existing security easy, which is the opposite of what you'd want.
Something that I think people underestimate is just how easy it is to observe you entering your password on a phone, and why that (in my opinion) makes thumbprints much more secure than passwords for casual usage - e.g. every-time you unlock your phone.
All you need is a camera over your shoulder and you don't even need to observe the key-presses as generally the current character is displayed on screen. You could likely observe 100s or 1000s of them a day with an overhead camera at transit stations and the like.
The same thing goes for "Tap And Go" contact less payments not requiring a PIN number under $100.
Everyone goes on about how people can run up a few hundred dollars at different stores with your card if they steal it. But consider exposing your pin to surveillance during most common transactions which then also lets you remove cash from an ATM with that card if stolen which is much harder to recover and is also much higher value than the generally $30-$100 limit for transactions without a PIN.
Next minute you'll freak out when I tell you I can clone your house key from a photo of it hanging off your belt...
The general point is that security trade-offs are generally deeper than you might realise on the surface, especially at "public outrage" levels of observation which so frequently haunt the public mind in recent times.
The other thing is that I kept my phone unlocked in the time after physical keyboards were dead but before fingerprints. There are way to many situations where I want to unlock my phone with one-hand.
A fingerprint lock is way more secure than no lock.
People will freak out... but I don't lock my phone. Never have.
It's either in my pocket or in my hand, and I never ever put it down in public. If get mugged (god forbid.. and do people still mug other people for phones these days?) there's nothing mega personal on it, and I can remote erase it pretty quickly.
I live in Dresden (Germany), and I've never even heard of anyone who has been mugged here. Sure, there will be cases in the statistics, but I can not name anyone who has been mugged, ever.
This is a great point, and why I'd like to see more features being locked without a passcode. The move in iOS 11 to restrict device imaging without a passcode is a great step in this direction.
Perhaps we can see more customization as to what biometrics unlock and what they don't?
As long as biometrics don't unlock secrets (keys, passphrases, shared data etc) it is fine. In all other cases you are correct and it needs some form of replaceable, retractable secret i.e. a passphrase.
This would be a very welcome feature but considering how the secret stores work at this point it is not likely to see this any time soon.
Sidenote: The false positive rate on any biometrics is way higher than you think (it is highly disadvantageous to be black unfortunately, yes biometrics are racist). People usually consider the near bound (e.g. small sample size, high differentiation unless you have twin) of the people around them as proof it is impossible but this has been problem a fallacy in even mediocre sized studies.
It still works but I would really like to see your suggestion to make sure real secrets are properly stored/safe.
> As long as biometrics don't unlock secrets (keys, passphrases, shared data etc) it is fine.
That's a weird definition of "secrets". Mails may contain secrets. Pictures may contain secrets. Messenger posts may contain secrets (cf. all the leaks of chatlogs).
If I remove all apps from the homescreen that may contain secrets, that leaves me with the flashlight and Candy Crush.
On ATMs they use a keyboard with random multiple digits per key, e.g. "2 or 7", "8 or 0", etc. That's a defense to the "observing-attack", but it's slow and boring. Also, someone could unlock with other password.
Biometric data is authentication. One looks at their mother and says "hi mom" not "what's the passcode?". Your issue, I think, is that you don't trust the tools on the phone to read faces or fingerprints well enough to detect fraudulent login attempts.
Factors of authentication:
* What you know - things like passwords online that other people shouldn't know
* What you have - Two-factor tokens, certs (kind of "know" but used to supplement "have") that other people shouldn't have
* What you are - Biometrics like finger, face, or eye that are unique and difficult to duplicate or trick (ideally)
So the question becomes which and how many factors to require, and when, depending on the risk model.
Unless you believe Apple is lying, that information is never sent to them. The hardware is designed such that, with TouchID at least, it's never even seen by the CPU on the phone.
If you do believe Apple is lying and is secretly phoning home with your personal information, then I think you'd have bigger problems than fingerprints; I would be more concerned about surveillance on everything you do with the phone.
What kind of analogy is that? I don't know what you were trying to say but you're way off on saying it. I think OP's point stands, biometrics: are not be relied upon for these matters.
What OP means is that at least theoretically faces contain enough information to uniquely and correctly identify someone, which is the reason why we identify someone by looking at their face. If iPhoneX was as good as a person in recognising faces then this discussion would be meaningless.
It's not a password, but it's not a username either. It's something in between: It's vastly easier for me to type your username in the login box than it is for me to create a sophisticated prosthetic or high resolution 3D scan (with correct infrared coloration) of your face.
I wish people would stop repeating the canard that biometrics are usernames, not passwords. Biometrics are biometrics. They are different from both usernames and passwords. They have their own advantages and limitations. Learn them, understand them, and use them or not based on what they are, not some other thing they sort of seem like.
The weird thing to me is that apparently we have so many people on HN that consider themselves worth the effort to make full 3D renderings of their faces just to unlock a phone. Unless you were Osama Bin Laden, it seems highly unlikely anyone would go to the trouble. If you are that kind of person, you’re probably going to be protecting your information with much more than Face ID.
There would be more than enough detailed photos and videos of politicians, celebrities and business leaders floating around for a skilled sculptor to recreate their faces, there'd be some high value targets there.
Your both right and both wrong. Biometric authentication is an identity scheme. The combination of username and password is also an identity scheme. A certificate chain is another identity scheme.
Identities both identify who you are and are, ideally, difficult to fake. Username password artificially handled those two concerns separately, but that doesn't mean that all identity schemes must do so. For them to say it's your password is wrong, but for you to say it's your username is also wrong. It can be thought of as both or neither but it isn't either one on its own.
Their job is to sell. They want everyone watching to understand exactly what they mean.
For what it's worth, I would say that Face ID isn't quite a username either. Once known, anyone can reproduce a username. I can't easily recreate your face even if I know you well. That would require an extra set of skills/equipment. The same argument goes for Touch ID.
In a perfect world, we wouldn't actually need passwords. If a machine can reliably tell that you are really you, then what's the point of passwords?
That actually works very well between humans; we let friends in our house without asking for passwords. Machines still have a bit of catching up to do, but Face ID is a step in the right direction.
No they don't. They behave like a username/password combination. A username is an individual identifier and a password is a confirmation that the identifier is valid for the person it's identifying. TouchID and FaceID confirm both - that it's the correct user that has access and that the user is who they say they are.
Definitely this. When I was using an iPhone, it was for all intents and purposes locked behind my thumbprint (even though you could theoretically make a model thumb with my fingerprint and unlock it, it protects from everything other than highly skilled criminals/governments who very specifically target me). Now that I have a Galaxy S5, there's no way I'm writing in a passcode every time I unlock it (and that horrible "fingerprint scanner" is not a replacement for Touch ID), so it's just unlocked.
I consider biometric data a keepalive, nothing more. Any biometric system that doesn't require a non biometric pass at some point after boot before the biometric becomes a means of device authentication is broken, to me.
If only we had high resolution 3d printers or people who can carve lifelike portrait replicas out of stone! Oh, wait, we do. A bit more complicated, but if you think this is not way to simple to fool, you're out of luck.
If they can build a captcha that keeps out robots based on mouse movements, I'm pretty sure they can build a facial recognition system that can keep out prosthetics based on facial gestures.
I agree and I think most of the comments here cover why this should mostly be OK.
Another neat feature in iOS 11 is the ability to disable Touch ID quickly, but touching the lock button five times. I assume this works for Face ID as well – this would help those who have immediate concerns that they would be coerced into using biometric data to unlock their device.
Isn't it though? It's the "password" to the secure enclave which then provides a "password" to the OS.
Edit: I agree with your statement that "a password is something i can change if it gets compromised. a password is secure from others." Which is why I like that there is a method for disabling TouchID/FaceID with iOS 11.
Apple is speaking to a broad consumer audience, not just technical people. "Password" is a reasonable concept that will be easily understood by a lot of people. "Biometrics" is not.
Who you are (authentication) and what you can do (authorization). But for iPhone they are effectively one and the same since there's only one account on the phone. You can only authenticate as the phone's primary user, after which point you have full authority.
When, Oh When!, will my kids get their own home screen and separate sandbox, limits, etc. when I hand them my phone?!
Wow you sound like a real joy to work with. I don't think you've learned to step out of the shoes of an engineer and put yourself in the shoes of an average consumer or the company selling a new phone. The average consumer does not give a shit about the technical definition of a password.
no, it isnt. and neither are your fingerprints. none of this publicly available data is a password.
a password is something i can change if it gets compromised. a password is secure from others.
biometric data is a username/id.
why do companies insist on getting this shit backwards?