With the rise of facial recognition technology, our fingerprints may be supplanted as the convenient biometric of choice to save us from typing in passwords. There’s nothing new about the idea of using your face to unlock your phone or other devices, but when Apple made Face ID the star of its iPhone X reveal, facial recognition took a big step towards the mainstream consciousness.
The reception to the iPhone X has been overwhelmingly positive. Despite some quirks with Face ID, we found it to be fast and convenient in our iPhone X review, noticeably improving with time as it builds a more complete model of your face. Apple is so confident in Face ID that it’s likely to replace Touch ID in all iPhones — even iPads — going forward, according to KGI Securities analyst, Ming-Chi Kuo.
“Apple’s always been the sign of acceptance for the tech industry,” Todd Mozer, CEO of Sensory, told Digital Trends. “We saw it with Siri and speech recognition and now we’re seeing it with face authentication. Having Apple and Samsung do it makes it pretty standard for mobile phones, but we’re seeing it start to penetrate other areas too. There seems to be a broad move towards face authentication right now.”
Samsung has been experimenting with facial recognition for years now. The first time we tried Face Unlock was on a Samsung Galaxy Nexus running Android 4.0 back in 2011, but it was easily spoofed by a photograph. Various versions of facial recognition have followed in the last few years, but questions about security have persisted.
There’s always a trade-off between false reject and false accept.
The iris recognition system of the Galaxy S8 was supposed to offer a new high level of security, but it was successfully spoofed by the Chaos Computer Club using a digital camera in night-shot mode to capture the iris, which was then printed on a laser printer. The final touch was a contact lens placed on top of the print to emulate the curvature of the eye’s surface.
Your average thief isn’t going to go to that kind of trouble, but with Face ID, Apple has ratcheted the level of security another notch, describing the chance of a random person unlocking your iPhone as “one in a million.” Attempts to spoof it, most notably from Wired and the Wall Street Journal, have found it to be no easy task — but it has been done. So far, there have been two cases where the technology has been fooled, one involving a 3D mask, and the other a 10-year-old son unlocking his mom’s iPhone X.
Still, Face ID improves over time — that’s why Apple doesn’t recommend ever removing your Face ID data, because the tech then has to start learning your face from scratch. But the problem with making the security level too high is that the legitimate owner is going to get rejected some of the time.
“There’s always a trade-off between false reject and false accept,” Mozer said. “To get your false accepts as low as one in a million, you’ve got to make it harder for the right person to get in.”
Sensory is the company behind TrulySecure, a voice and vision authentication solution for mobile phones and other devices. LG licensed its technology for the facial recognition tech in the LG V30, Q6, and G6 phones, and its voice recognition service was employed in the Moto X. Apple’s Face ID relies on special hardware that projects a grid of 30,000 infrared dots onto your face, and then employs an infrared camera to assess the distortion. Sensory’s tech works with almost any microphone or camera.
“Sensory’s philosophy is to layer biometrics on top of each other,” Mozer said. “We don’t think it’s one versus another. We have a bias for the most convenient ones, the ones that are least intrusive, the ones that don’t require special hardware — so we really like face and voice.”
The technology works well. It quickly and correctly identifies Mozer’s face and voice, and isn’t fooled by a photograph. Sensory has made a study of this, gathering 1TB of face data every week through its free Android app, AppLock, in the Google Play Store. This aided in the development of an accurate algorithm and powerful anti-spoofing. It’s not as secure as Face ID, but how secure does it need to be?
“With face, we’re getting pretty close to 1 in 50,000,” he said, in terms of the chances of a random person unlocking your phone with Sensory’s tech. “We can do 1 in 100,000 if we make the false reject rate a little bit higher,” Mozer said. “Voice is a little bit worse, but voice has much more dependency on environmental conditions including the distance from the microphone and the background noise.”
“Everything points to the fact that consumers prefer convenience over security.”
The voice recognition element of TrulySecure provides a backup method if the facial recognition isn’t working, for example, when it’s dark. Making the false reject rate higher would make it more secure, but that’s going to be frustrating for users. We’ve found Apple’s Face ID to work remarkably well so far, but there’s still the occasional false reject — at least it works in the dark.
“Everything points to the fact that consumers prefer convenience over security,” Mozer said.
This balance between security and convenience is a recurring theme when you talk to anyone about biometrics. The consensus seems to be that convenience is more important to most people. Take a look at OnePlus’ latest smartphone, the OnePlus 5T. The Chinese company explicitly said their technology cannot be used with Android Pay, or even to get into secure banking apps. It’s expressly for convenience, and we found it to be an incredibly fast and reliable way to unlock the OnePlus 5T.
“Aite Group has primary research that shows that given a choice between convenience and security, the majority of consumers choose convenience,” Julie Conroy, research director for the Aite Group, told Digital Trends via email.
But is facial recognition more convenient? There are certainly situations where fingerprint sensors are faster, and they don’t require us to look at our phones.
“I think we’ll see facial added as one more form, but I don’t think it will become primary anytime soon,” Conroy said. “One reason consumers have so readily adopted the fingerprint sensor is because it’s so easy for most. Using facial recognition is more involved, and so while it’s more secure, I don’t think consumers will immediately flock to it.”
We may be used to fingerprint sensors, but they do also have quite a high false reject rate. If you’ve ever tried to unlock your phone with wet or dirty fingers, then you’ll know that. They’re also not really a high mark for security. Apple said the chance of a random person gaining access via Touch ID with their own fingerprint is 1 in 50,000. Interestingly, the odds of guessing a typical 4-digit passcode are 1 in 10,000.
But there’s a difference between random odds and concerted efforts to spoof systems. As long as you don’t write it down, your password or PIN can only be guessed at, but biometrics are different.
“Biometrics aren’t secrets if you think about it,” Tom Grissen, CEO of Daon, told Digital Trends. “My voice isn’t a secret, a photograph of me isn’t a secret, and my fingerprint is left on surfaces all over. Technically any security system could be defeated.”
“In the next five years we’ll see more in human authentication that we have in the last 50.”
Yet it’s rare to hear of frauds using dummy fingerprints. How often is biometric security being fooled to gain access to devices outside of security research circles? Even the FBI had quite a bit of trouble to get into the San Bernardino shooter’s Touch ID-enabled iPhone. It’s impossible to know for sure, but for the most part our current level of security seems to be sufficient.
“People have come to trust biometrics because it delivers this convenient, secure experience and it works really well,” Grissen said.
Daon, a biometric authentication company, recently partnered with Visa on its ID Intelligence platform. It’s what Mark Nelsen, senior vice president of Risk Products and Business Intelligence at Visa describes as “an authentication marketplace that brings together some curated, vetted technology that we would like our clients to get access to.”
That includes a document verification service that allows you to take a selfie and scan your passport or driver’s license to set up a new account or take out a loan online via your smartphone. Visa is keen to encourage greater adoption of fingerprint, face, voice and other types of biometrics Daon can offer through mobile devices with the sensors, cameras, and microphones built into them.
“For any environment there isn’t a single perfect authenticator,” Nelsen told Digital Trends. “Voice can be awesome unless you’re in a loud environment, face can be great unless it’s really dark, fingerprint is great unless your finger is wet. That’s why we want to incorporate as many as we can and then ultimately we think consumers will decide which they prefer to use.”
One of the main challenges for biometrics is the fact that different people have different expectations. Daon has found that around 30 percent of customers want convenience with minimal authentication and are happy for it to happen passively, so they don’t even get an indication that a selfie has been taken. But only around 10 percent of those surveyed really want to see concrete steps, so they know it worked. The other 60 percent are somewhere in the middle. But there is one thing everyone is united on.
“We’re seeing it across all age groups, not limited to one generation, everyone hates passwords,” Grissen said. “I think passwords will hang around for a long time, but we’ll see a big shift towards biometrics in 2018 and that’ll occur in payments, banking, healthcare, insurance, telecommunications — it’ll be really widespread.”
All our interviewees agree the path to greater security is through the layering of biometrics. As the cameras, microphones, and other sensors in our smartphones improve, it becomes easier for them to accurately identify us.
“In the next five years, we’ll see more in human authentication that we have in the last 50,” Grissen said.
Behavioral biometrics can analyze our interactions, learn the way we type and swipe, and track the movement of our phones to see if they may have been picked up by someone else. Combined with things like location information, anything suspicious can be quickly flagged and prompt a facial scan or voice verification. Android phones, for example, benefit from this layering through Google’s Smart Lock, which can unlock your phone based on your voice, face, connected Bluetooth devices, trusted places, and on-body detection.
“In the past, authentication was always in our way,” Grissen said. “But I believe it will soon become technically almost invisible.”