At the time of writing this Apple have just announced their new iPhone X phone offering FaceID. What is FaceID? Well it uses a complicated mixture of infrared and dot projecting technology to scan your face and confirm that you are really you.
Beyond the technology that actually makes it happen, it sounds simple to use. Perhaps even easier than using your fingerprint for TouchID from previous models as you only need to look at your phone.
But whether you use FaceID or TouchID you are submitting highly personal data, that you cannot change, to your device as your security token. We have seen in the past how researchers broke TouchID within 48 hours of its launch. In time I’m sure we will see creative researchers break FaceID too.
The problem is when we run out of digits or unique identifiers, we will find ourselves in a situation where we have inadvertently uploaded our entire identity into the cloud.
Maybe not immediately, but eventually organisations will attempt to centralise this data in one big database. If recent history has told us anything, including an Equifax leak just this week, it is that big troves of data are a tempting target for identity thieves.
Already security specialists are advising that through the Equifax hack 143 million people have been opened up to lifetime risk by having their social security numbers stolen. And that is just based on a unique identifier allocated by a government, that could technically be changed with sufficient demand.
What if instead the biometric identifiers of every iPhone, or even mobile, user were stolen. I don’t see a government led initiative ever taking place to provide plastic surgery to prevent identity theft.
Once your TouchID, FaceID, IrisID, VoiceID, GeneID are leaked there is no going back. That data, your digital selfie, is in the wild for life, for better or for worse.
In the short term you can opt out by using passcodes, but that is simply opting out of modern technology. Eventually you will be faced with unavoidable scans for enhanced security measures and this data is even more likely to end up in centralised databases.
I definitely don’t have the answers but if we thought passcodes were insecure, leaked biometrics are going to become an even bigger security issue and one that can’t be so easily changed.
Whilst not as magic as a login that works with a glance, the most secure methodology for now is likely utilising a mixture of formats;
- Something you have e.g. your phone, or yet another “dongle”…
- Something you know e.g. your passcode
- Something you are e.g. your biometrics
Based on this methodology the iPhone X could already be enough, if they allowed for more stacking of the security measures. However this isn’t something they will likely want to do in a hurry. The support costs of people locking themselves out are sure to rise and securely restoring access can be just as challenging if not impossible.
So what is one to do?
Well for now, probably just use a passcode and make Animoji videos of yourself as a talking poo…