Facial recognition in the new iPhone would make huge waves

Will Apple embrace facial recognition and iris scans? The mobile industry is preparing for authentication upheaval.

Facial recognition in the new iPhone would make huge waves
Intel Corporation

With several sources that traditionally have been reliable about such things reporting that Apple is preparing to abandon the fingerprint biometric authentication that it's been using for five years in favor of 3D facial recognition coupled with iris scans, the mobile industry is preparing for authentication upheaval.

The most likely scenario is that Apple will include this new biometric approach on perhaps one model of the new iPhones, with the others continuing to use Touch ID.

+ Also on Computerworld: Dual biometrics may just be the authentication answer we need +

The driver for this move, according to analysts tracking the company, is a desire to free up space on the phone to allow for a larger screen in a similarly sized device. Keeping the phone pocket-sized means that phones simply can't get much larger than the current iPhone 7 Plus. (Yes, you scoffers out there. The iPhone 7 Plus—at 6.23 inches tall, 3.07 inches wide and 0.29 inches deep—does fit in my deepest pockets, but just barely. Fits into suit jackets, too, but, again, just barely.)

That could have simply meant relocating the fingerprint sensor from the Home Button, but that was expected to deliver a drop in authentication accuracy, mostly because it couldn't easily scan the edges of the fingerprint.

From a marketing perspective, Apple will need to argue that this move will deliver more accurate authentication—and ideally, it will do so slightly faster and more conveniently.

Fingerprint authentication is not a perfect authentication option given that there are many people whose fingerprints are in some way compromised. That includes people who work extensively with cleaning products and even some who take prescription drugs that thin the skin.

Facial recognition has its own challenges. Faces haven't been recognized because of poor lighting, changes in cosmetic application, beard growth, haircuts and even extreme facial expressions. Typically, those problems have been dealt with by tweaking the software's strictness, allowing it to authenticate someone if the face is sufficiently close. No surprise, but the looser the app's strictness, the less reliable it is as an authenticator.

To combat this, Apple is looking to integrate eye scanning—not retina, but iris—leveraging its 3D capabilities, according to a report from Bloomberg. If facial and iris scans are properly combined, the accuracy could be much better than with fingerprints.

"In testing, the face unlock feature takes in more data points than a fingerprint scan, making it more secure than the Touch ID system, the person said," according to that Bloomberg story.

Whether it's really more secure depends on how strict Apple has made the settings. Faced with a choice of telling a lot of consumers they can't access their own phones or telling some thieves that they can, it's likely Apple will initially allow the phone to be more accommodating.

Why? Blame social media. Legitimate iPhone owners who are locked out will quickly complain as loudly as they can, while thieves given inappropriate access will stay happily silent. (Unless they are stupid thieves, which is certainly a healthy subset of that community.)

This might be especially problematic in family situations. Siblings, and especially identical twins, would likely be able to access one another's phones with facial and iris authentication in a way that they couldn't with fingerprint authentication.

Rippling effects of changing the authentication method

Don't forget that Apple isn't in this alone. It will have a lot of people to convince. A big chunk of the iPhone's value for Apple is in various services such as Apple Pay. The company will need to convince merchants and banks that this new authentication system will work well. Lots of online and mobile services also depend on Touch ID, such as banks allowing money transfers authenticated solely by Touch ID and ecommerce sites allowing purchases with just that authentication.

That all said, this all comes down to whether Apple will actually do this and when. The next iPhone hardware rollout is expected to be this fall, and most Apple watchers expect this change in authentication to happen then.

I asked Apple spokesperson Trudy Muller about the reports, and she said, "It's not something I have anyone available to speak with you about."

That's one of the nicer "no comments" I've seen. But she then offered up the names of a couple of analysts that, she said, "I'd suggest could be good to talk to."

My columnist interpretation: If the reports had been completely wrong, she would have either denied them—without offering details—or simply ignored my request. The fact that she offered two people to talk with from outside of Apple suggests she wanted to see my story published. Bottom line: I'll bet all the money in my pocket that we'll see some version of facial recognition replacing fingerprints on at least one model announced this fall.

Easier-to-use authentication leads to improved security

Neil Cybart, an Apple tracker who is an analyst for Above Avalon, said ease of use and practicality are not just going to make life simpler for users. If it's achieved, it will make this authentication much easier to use, and that will in turn translate it into being used more often. And that will improve security.

"If you have your phone lying on a desk, [and you are] looking toward the device, is that enough" for the iPhone to authenticate the user? Cybart asked. "If you can make it easier to do, you’re adding more security because people will actually do it."

With fingerprint authentication, Apple always allows the PIN to be entered instead of the fingerprint. I've heard consumers (and even some industry people who should know better) say, "No one will steal my phone because they now will need my fingerprint to access the data." That's simply not true, if they have the PIN. (Note: It would be a nice security twist if the phone retained all failed authentication attempts for six months. That way, the police would have a fingerprint to match against a suspect. To my knowledge, it doesn't retain them.)

Making security matters worse, although Apple now defaults to a six-digit PIN (it used to default to four digits), the settings still allow a four-digit PIN. Why? Apple, if you're going to improve security, just do it. If you realize that a four-digit PIN is insecure, don't allow it.

Presumably, Apple will repeat this move with the new phones and will default to the PIN if facial recognition doesn't match.

Note: As I argued when Apple started pushing Touch ID, biometric authentication on its own does slightly improve the security of the PIN. Why? Because the biggest vulnerability of the PIN is that users have to repeatedly type it in in public. A thief shoulder-surfing can see (or even videotape) your keystrokes and figure out your PIN, perhaps moments before he tries to steal it. With biometrics, you sharply reduce how often the PIN will be used in public, thereby making it that much harder for the thief to figure out.

But Apple's reported 3D approach has other security advantages. Securosis analyst Rich Mogull argues that it's the 3D capabilities of the new hardware—which enables depth sensors—that makes facial-iris recognition practical. Otherwise, a good digital image would have an excellent shot at tricking the system into generating an incorrect authentication.

The original premise of fingerprint authentication was that it "allows people to have the security of a strong password with the convenience of no password at all. If there is an equivalent way of solving that problem" and it's accurate, more secure, faster and frees valuable phone real estate, Mogull said, why wouldn't Apple do it?

Why indeed? If this works, it could be an interesting industry development. On the Android side of mobile, quite a few handsets have already been offering facial recognition (selfie authentication) for years. The problem has been that few Android phones have embraced 3D depth, despite Google supporting that capability for years in the form of Tango.

If Apple rolls out facial recognition in 3D, it will be pulling what IBM used to be known for: being late to the market, but materializing in a far better way.

How to protect Windows 10 PCs from ransomware
Shop Tech Products at Amazon