On the surface, I like the idea of an iPhone that uses some sort of 3D facial recognition as a security feature, but coupled with a few other technology tricks. Pick up your iPhone and it scans your face, recognizes your voice print, and knows it’s you because of your fingerprint. That sounds like a decent trio of security layers, no?
The other side of that coin was demonstrated recently during the WannaCry ransomeware attack on a few hundred thousand Windows PC users. Agents for the good old U.S. of A. government stockpiled a number of vulnerabilities and exploits from the PC industry. Some of those were stolen which made it easier for hackers and crooks to take over computers and hold them for Bitcoin ransom.
Apple seems to recognize that such stockpiling– and inserting backdoors into seemingly secure software like iOS and macOS– isn’t a good idea because once the key to the door is in the wild, nobody is secure. Thank you, Apple.
Today’s iPhones, iPads, and Macs have a variety of security options, including complicated passwords, Touch ID fingerprint sensor, and encryption. Good for Apple. Good for Apple’s customers.
Word on the streets is that Apple’s next generation iPhone may have facial recognition built in as yet another layer of security. I like the idea that my iPhone knows who I am and can tell me apart from a photo, or a voice recording, or a Mission Impossible-like fingerprint. But that assumes Apple can pull off this trifecta and bring it to market in such a way that the functionality won’t show up in a government stockpiled stack of vulnerabilities and exploits.
Facial recognition is starting to show up elsewhere on planet earth. Finland’s Finnair is testing such technology to speed up airport checkins. Good idea, right? But where does the face attached to the passport or ID get stored? Are such matches completely secure in an era where almost nothing is secure from outside intervention, vulnerabilities, or exploitation?
Apple stores the Touch ID fingerprint in a special CPU enclave where it seems next to impossible to dig it out without tearing the device apart. But even if Touch ID cannot recognize the fingerprint you give it, the password can still unlock the device, so a good old alphanumeric relic from the last century is the fallback we can use to remain somewhat more secure in the digital age.
Let’s assume that Apple stores your face scan in a similarly secure enclave which makes it next to impossible for authorities or criminals to obtain. Again, the good old fashioned alphanumeric password becomes the fallback if the iPhone’s scanner cannot recognize your face after a late night out painting the town red, or getting a skin peel facial, or forgetting to shave for a few days.
In other words, facial recognition needs to work in such a way that we can add it to a few other layers of security– Touch ID, voice recognition, key word phrase, etc– but still have a fallback in case the technology fails for a moment.
What bothers me about the whole idea of facial recognition is tying the technology to personal identification, as set up by Finnair during their trials. If the government, any government, decides to go to the extreme of collecting DNA, obtaining fingerprints, voice prints, retina scans, or facial recognition simply to prove who we are– for voting, financial transactions, or anything else– what happens when things go wrong?
And things will go wrong.