Dr. Security gives tips and answers questions related to cyber security. This time, it is about the security of biometric authentication methods.
I use for my iPhone X the face recognition technology (Face ID) to unlock it. How safe is this and other biometric authentication methods? (Jonas, Herrliberg)
Biometric authentication uses face, voice, fingerprint, iris or other biometric features to confirm a person’s identity. Using your finger to unlock the smartphone (e.g., Apple’s Touch ID technology) is one of the most commonly used methods. Face recognition, such as with Face ID, is nowadays also offered more and more as a way of accessing your smartphone.
Overall, biometrics have a number of pros and cons, which makes them suitable for use in some scenarios but unsuitable for others. Biometrics are typically convenient to use and, depending on combination of the actual biometric used as well as the quality of the biometric scanning hardware, offer variable levels of security. For example, iris scanning, often used for physical access control in military and other high security areas, is significantly more secure and harder to forge than fingerprint scanning found on smartphones. After all, that glass of water you recently used has your fingerprints imprinted on its surface, which can be easily extracted by a knowledgeable attacker. As another example, Apple Face ID, due to the quality of the technology used to perform the face scan, is arguably more secure than face recognition on other smartphones which just use the phone’s normal camera. The latter can be easily fooled by a photo of your face, while this attack will not work against Face ID.
Moreover, biometric data, such as fingerprint information, is rather sensitive and storing it in online servers is risky. If compromised, it can be potentially abused by attackers and it’s not as easy to change your fingerprints (you only have 10 of them) as you can do with your passwords.
Having said the above, commonly available biometric authentication solutions found in smartphones, are typically both convenient as well as secure enough for most smartphone users. It is worth mentioning that these technologies enabled a lot of users who were previously not even using a passcode to lock their phones, to finally add this level of protection, due to the unlocking convenience that the biometric solutions offer. Also note that in such solutions, the biometric data is only stored locally on your phone (typically in some kind of secure hardware storage) and never transferred online, which makes it very hard to be leaked to unauthorized entities. As a matter of fact, we at Futurae also make use of these biometric technologies in our mobile app whenever they are available on the phone.
My advice would therefore be, yes, feel free to enable and use Face ID on your iPhone X, unless you are really paranoid about the physical security of your smartphone. In this case, you can configure your iPhone to unlock only with a sufficiently long and strong passcode, and you might also want to consider hiring a few guards to protect you and your phone! :)
I am happy to answer your questions, so do not hesitate to write to the Doctor at: firstname.lastname@example.org.