Mobile

11/2/2017
01:50 PM
50%
50%

iPhone X Face ID a Facial Biometrics Catalyst?

Apple's new multi-factor authentication technology receives mixed reviews in separate surveys.

Apple's iPhone X is expected to arrive at Apple Stores on Friday, but some security professionals are uneasy about the trustworthiness of its new facial recognition feature.

Facial recognition biometrics has been around for decades but hasn't taken off. But Apple's Face ID in the iPhone X has the potential to spur adoption of facial biometric for multi-factor authentication in the enterprise, akin to how Apple'sTouch ID has spurred fingerprint biometrics in mobile device management systems, security experts say.

Employee adoption of new technology, however, often informs enterprise adoption, experts say.

Meanwhile, two new, separate surveys, show that the degree that end-users and security professionals trust Apple's Face ID is mixed. 

Face ID Faceoff

According to Bitglass's BYOD and Identity report released today - a survey of more than 200 IT and security professionals - 60% have reservations about Apple's Face ID. Top concerns among 40% of respondents include the accuracy of face detection, while 30% worry about its ability to prevent unauthorized access.

"Even though it works similar as Touch ID, everyone has concerns with the new technology," says Salim Hafid, Bitglass project manager. "I expect organizations that allow Touch ID will allow Face ID, but there will be a wait-and-see approach for a lot of organizations."

In addition to the Bitglass survey, other infosec experts in a Wired post recently questioned the security of Face ID. In September, Apple issued a whitepaper on its Face ID technology.

But a majority of end-users, or employees, expect Face ID to be effective for multifactor authentication of users. According to a Secret Double Octopus survey of 522 employees at midsized- to large enterprises, 81% of respondents expect Face ID to be trustworthy in its accuracy in facial recognition.

"We were extremely surprised by these results, since no users have yet tried the iPhone X and used Face ID," says Amit Rahav, vice president of marketing for Secret Double Octopus.

However, 73% of survey respondents say they would prefer the facial recognition feature over passwords in a work environment. That result is comparable to the 70% of respondents who say Face ID will be "extremely or very trustworthy," according to the survey.

Although Face ID may be viewed as viable for multifactor authentication, the National Institute of Standards and Technology (NIST) in its digital identity guidelines issued earlier this year noted biometrics, in general, should not be used for single authentication. "Biometrics, when employed as a single factor of authentication, do not constitute acceptable secrets for digital authentication — but they do have their place in the authentication of digital identities," the NIST guidelines said.

Mark Clifton, CEO of Princeton Identity, says some efforts are currently underway for incorporating facial recognition in an enterprise environment. "If you look at the past, Apple's Touch ID was a big boom for the biometrics industry," Clifton says. "You see a lot of enterprises and DHS [Department of Homeland Security] doing trials with facial recognition in airports, and of this nature."

Currently, fingerprints are the most popular form of biometric two-factor authentication, but facial recognition is growing fast, followed by iris-recognition, Clifton says. "These modalities will all move forward as consumer come forward and use them."

Ant Allan, a Gartner analyst, says he's skeptical of Face ID's impact on the use of biometrics for multifactor authentication in enterprises.

"I can say that the bottom line is, [Face ID] makes little difference from Touch ID," Allan says. "Whatever its inherent superiority, the lowest common denominator is still the device passcode, which remains as a way of unlocking your iPhone."

That said, however, Clifton says he has seen a change in the past year in the number of mobile users who rely on phone biometrics.

"At a conference I attended a year ago, there were 500 attendees, and when asked how many used the biometrics on their phone, maybe 30% to 40% raised their hand," Clifton recalls. "Now, at the sameconference a couple weeks agowhen asked the same question, 100% said they used it. I think phones have definitely been a catalyst."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.