scythe42

About

Username
scythe42
Joined
Visits
4
Last Active
Roles
member
Points
1
Badges
0
Posts
28
  • Senator calls on Apple to address Face ID privacy concerns

    This is a question I am asking as well.  I would not purchase the phone without being satisfied that someone who mugs me or for that matter the police - could not hold the phone to my face and activate it.  Without an absolute safeguard and perhaps even a kill password my company sure won't be using it.  I am hoping Apple have this addressed and the Senator and the public will be satisfied that privacy is absolute.
    At least the same way as with Touch ID, when you have to enter your code:
    - after your restart the device
    - more than 48h have passed last time you unlocked the device
    - add/delete a face (instead of a finger print)
    - change passcode
    - more than five unrecognized unlock attempts in a row. Accidental unlock attempts are even more likely with FaceID than TouchID...
    - biometric data doesn't leave the device and is stored in the secure enclave.
    ...and you do not have do use it to begin with if you do not like the convenience of it. 

    It is exactly the same deal at TouchID. But the "digital key" to unlock is now not the data from fingerprints but from a your face.

    The thing is, it sounds insecure to us, because we see faces all day and recognize them easily...

    But from a mathematical point of view a face is way more complex than a finger print. Finger prints are very simple, but unique. Face are very complex and unique as well, even between twins. It's not like the algorithm is just recognizing a face, it measures it in detail from a close up - and we will never know what exactly it measures and how the data points are used, same as with Touch ID. Oh and the hint that it cannot be fooled by makeup/prosthetic easily indicates that they actually look at they eyes as well and maybe measure subsurface reflection of light as well (once read a paper about this) as part of the equation. 

    Do not make the mistake of thinking that is the same as facial recognition where only a few parameter of the face are matched against a database. There is way more involved if you want to use a face as a key. Not the Samsung way, where they just slapped on some open source facial recognition library designed to recognize people in photos to say they were first and had a talking point.

    And holding it up to your face against your will to the phone is the same deal as putting your finger on the button against your will. Not much difference forcing you too look at the screen compared to holding a finger onto the button. Yeah, and holding a gun to your head probably works for your pin code as well. 

    Really, same deal as before just different data source with more information to begin with (think longer password). If you were happy and felt secure enough with TouchID you should be with fine FaceID. Apple for sure tested it a ton and tweaked it or it would be a PR disaster. Everyone will be over this trying to show that it can be broken easily. Intelligence Agencies and people who sell hacks to them are first in line...

    Can a face be created that fools FaceID? Of course, the same way TouchID can be fooled. The question is how much effort is required and how fast is is possible once you got hold of a device. 

    Will there be security holes in IOS11? Of course there will be. Once more fixed by updates. The idea of hacking a device is not to fake the identification but to circumvent it in the first place so the person never knows that the device was accessed by a 3rd party. That is what you need to worry about not if some of your work colleagues can easily read your private email when you forgot your phone on the desk when going to lunch. For such average security measures TouchID/FaceID are more than enough.

    Also no one who mugs you for a phone cares about the data. It is sold for parts to repair phones (ever wondered where shops got all the parts from?). Times where phones where stolen and resold en masses like iPods on the next street corner are long over. Since years it is parts for cheap as they cannot easily reset it to factory defaults.

    I would worry more about stuff like Equifax and the horrible security as people who handle your money or your personal information...

    Soli