As it launches the iPhone 8, Apple is expected to have replaced or augmented its Touch ID fingerprint scanner with split-second facial recognition software.
The verification system will be used for unlocking the phone, signing into apps and for authenticating payments made through Apple Pay or iTunes.
The Samsung Galaxy 8 and other devices already have facial recognition, but this particular move could be impactful on a few different fronts. According to Andrew Bud, CEO of iProov, which has patented facial verification technology, this first and foremost marks the dawning of mass-market adoption of face verification as the chosen method of user authentication.
“Firstly, it is significant that Apple has chosen face over other biometric options such as iris or voice,” he said via email. “For an organization with such strong user experience credentials to come out so strongly in favor of the face as its chosen method of authentication sends a clear message about how user-friendly and secure it is over other biometric options.”
Secondly, he said that the particular type of facial verification technology Apple is using is a clear assertion of the importance of taking a robust anti-spoofing approach to facial authentication.
“With lower-grade facial recognition techniques, fraudsters have a good chance of being able to dupe a system into thinking it is the real user simply by using a stolen image of their target,” Bud explained. “However, we’re pleased to see that like us, Apple has invested heavily in anti-spoofing technology to stop that happening. Both the Apple and iProov systems work by a using ‘controlled illumination’ to create a sequence of reflections which produce information about the 3D shape of the face. Together with advanced face-matching technology, the systems then use this reflection information to establish that he/she really is whom they look like and not a spoof.”
All of that said, there are still limits to its effectiveness, since the approach is device-based, he added, noting that cloud integration could be helpful.
“When everything is done on the device, there is no supporting system to detect and defend against attacks,” he said. “Successful attacks are invisible until either the user realizes they have been defrauded or the attacker chooses to publish their success on the internet.”
Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/