Face ID’s Innovation: Continuous Authentication

posted in: December 2017 | 0
Face ID’s Innovation: Continuous Authentication

Every year, as I travel around the security conference circuit, the hallway conversations always turn to the interesting things attendees have seen lately. To be honest, I can’t remember the last time I was excited about a legitimately cool security technology. I see plenty of security evolution, but not much revolution.

That is, until my iPhone X arrived on launch day, and I got to try Face ID in real-world usage. Put simply, Face ID is the most compelling advancement in security I have seen in a very long time. It’s game-changing not merely due to the raw technology, but also because of Apple’s design and implementation.

First things first — Face ID nails nearly every criterion I came up with to evaluate it in “Preparing for a Possible Apple “Face ID” Technology” (18 August 2017). The false positive rate, unless you happen to have an identical twin, is 1 in 1,000,000 compared to 1 in 50,000. Watch enough videos of journalists trying to fool Face ID with masks and it becomes clear that Face ID is more expensive to circumvent than Touch ID. We haven’t seen a public vulnerability yet, but I always assume one will be found eventually. Although Apple sometimes has a weak spot in underestimating bad actors, it did a good job with Face ID.

In my pre-release article, I wrote: “Face ID doesn’t need to be the same as Touch ID — it just needs to work reasonably equivalently in real-world use.” In my personal experience, and for every user I’ve talked with and in every article I’ve read, Face ID’s core usability is equal to or greater than that of Touch ID.

For example, Face ID doesn’t work as well at any angle from which you could touch your iPhone, but it works better than Touch ID when your hands are wet. I’ve tested it in all sorts of lighting conditions and haven’t found one that trips it up yet. The only downside is that Face ID lets you register just one face — my wife and I have become accustomed to being able to use Touch ID on each other’s devices.

I believe Face ID is slower at actual recognition than Touch ID, but it’s nearly impossible to notice due to the implementation. In the time it would take to move your finger to a Touch ID sensor, Face ID could have already unlocked your iPhone X.

That’s the real Face ID revolution. Since you’re almost always looking at your iPhone while you’re using it, Face ID enables what I call “continuous authentication.”

Continuous Authentication — We’re used to authentication events being discrete — you do something that requires proving that you’re the person performing the action, and the iPhone asks you to authenticate.

In the past, you had to either unlock your iPhone once and allow access to everything (well, everything that didn’t require a separate password) or put your finger on the Touch ID sensor whenever an app wanted you to authenticate. Face ID is different.

With Face ID, since you’re usually looking at your phone when an authentication event occurs, the iPhone X can scan your face as soon as you initiate the task that needs authentication, so it doesn’t need to ask you to do anything additional. And the iPhone X does this constantly. Here are examples I’ve discovered so far:

  • Notifications, by default, don’t show details on the Lock screen until you look at the iPhone X. This is my favorite new feature since it improves security with little usability impact. (However, if you prefer being able to read notifications when your iPhone is sitting on the table in front of you, change Settings > Notifications > Show Previews to Always or Never.)
  • I always disable Control Center on the Lock screen for security reasons, but now just looking at my iPhone X unlocks it so I can use Control Center. You can disable lots of other features on the Lock screen now too — look under Allow Access When Locked in Settings > Face ID & Passcode.
  • Safari now optionally uses Face ID before filling in passwords on Web sites. Previously, even with Touch ID, they filled automatically if the iPhone was unlocked. That’s enabled by default in Settings > Face ID & Passcode. Many third-party apps, such as 1Password, can also use Face ID for authentication.
  • Apple Pay and the App Store now authenticate with Face ID without prompting you for separate authentication actions.
  • Apps can authenticate as you open them. This is where I believe Face ID is a bit slower than Touch ID, but it still feels faster because I don’t need to touch the Home button.

In short, Face ID allows your iPhone X to authenticate you under nearly every circumstance you need without requiring any action other than looking at the screen, which you’ll do anyway.

We’re just scratching the surface of what this first generation of Face ID makes possible. Imagine the use cases as Face ID gains features like multiple user support and as Apple starts embedding it in other devices. As an example, one of the most significant problems in healthcare security is the need for users to authenticate quickly to shared workstations in clinical environments. I could see a future version of Face ID embedded in an iMac solving that problem, changing an entire industry, and selling a lot of iMacs!

I’ve previously said that Touch ID lets you use a strong password with the convenience of no password at all. Face ID exceeds that mark, and its introduction of continuous authentication may be the ultimate expression of effortless security.

[A previous version of this article aimed at security professionals appeared on my blog at Securosis.]