The impact of Apple FaceID: Facing the future

Andrew Harrison
February 2018

Apple has a history of commercializing technological breakthroughs. Other companies pioneered

portable music players, touch-screen smartphones and fingerprint readers, but it was Apple that
turned them into a global phenomenon. Now the company seems to have decided that this is the
moment for face authentication to become mainstream with the development of its new FaceID
system.

Face authentication has been in the market for many years. Several companies have offered
programs for unlocking laptops, such as Microsoft Hello. However, these systems are all based on
face-matching technology that evolved over the previous 15 years. It relies on histograms of light and
dark around specific points on the face. In good conditions this technology can work well but it is
sensitive to poor lighting or unusual poses. It can also be confused by changes in ‘face furniture’ such
as the user growing a beard or starting to wear glasses.

From 2014, some major developments started to occur in the face biometrics industry. A team from
The University of Tel Aviv and Facebook demonstrated the use of deep learning for facial recognition.
This trains software with large numbers of labelled faces and could produce much better results than
existing methods. Another team from Google used similar deep learning techniques that gave even
more impressive results. This new approach made previous face authentication methods obsolete
and set a new standard high enough for adoption in everyday applications. While this technique was
used by many companies before Apple, with the iPhone X, they are making several significant
advances.

Firstly, it is running the Deep Learning classifier on the phone, not on servers. Deep Learning uses a
lot of processing power, so in the past this processing was always done on powerful servers. Google
then attempted to make its deep learning software work on android phones, but this made the
phones run very slowly. Because of its engineering skills Apple has managed to get the software to
work well on its phones, hopefully without draining the battery too much.

Secondly, Apple is using a variety of sensors on the phone to get 3D information for the biometric
model. The iphone uses an infrared projector to provide 3D information about the face. Again, Apple
is not the first company to use infrared technology, for example, Microsoft have used it in several
face recognition systems in the past. However, Apple is the first company to successfully use infrared
technology in personal devices like iphones.

Although this tehnology is very new and impressive the user will probably not notice it. They will
however notice the big advantage of face authentication – usability and reliability. The user simply
has to look at the device in a natural way for it to work. What will concern the user most is how
reliable the system is. In other words how often it fails to recognize their face. The failure rate was a
big problem with face recognition before 2015, but a combination of deep learning technology and

1
Apple’s engineering skills should make FaceID work with greater reliability. This experience will give
users confidence in face authentication.

Security is another important advantage of FaceID and an area Apples has made great
improvements. In August 2016, research titled ‘Virtual U’ showed how a few Facebook images could
be used to construct an animated 3D model of a person’s head. The model could blink and move and
managed to fool all the facial authentication systems and show how inadequate security was.

Virtual U attack: this explosive research showed the inadequacy of face genuineness tests. It fooled
all the liveness tests of every face authentication system tested, every time.

Apple has tried hard to stop people unlocking phones with copies of faces or ‘spoofs’. The company
uses infrared to illuminate faces by shining thousands of points of infrared light onto the user's face.
Apple is one of the first companies to use this technique and this controlled illumination test is very
powerful.

Apple has also recognized that even a powerful test like this will probably be defeated if it stable and
unchanging. One way to overcome this is continuous or dynamic change. The way chosen by Apple is
to change the illumination on each device used. This means that every iPhone X will have its own
pattern of controlled illumination, making it difficult to copy the pattern to mount a scaled attack.
This kind of security will help build market confidence in the reliability of face biometrics.

In keeping with its design philosophy and business model, Apple carries out the entire
face authentication process on the device without any reliance on servers in the network. This has
both advantages and disadvantages. Because it doesn’t have to contact the network, FaceID can be
very fast and work when there is no connectivity. However, this also means that FaceID does not
authenticate you to an online service (for example a bank) at all. FaceID works purely on your device
and the online service has to trust the device’s authentication. The service sees only the asserted
identity of the device and knows nothing about the user.

2
This is quite a profound drawback for online service providers who want to ensure the identity of a
particular person, whatever device they are using. It is possible that Apple will permit more than one
face to authenticate a user account and open a device. This was a problem with Apple’s fingerprint
scanner technology - TouchID. Service providers were nervous that up to five users could
authenticate one apparent identity on a device. It also means that FaceID cannot authenticate users
across devices and plays no part in making it faster for a user to enroll on a new device. Only server-
based face authentication services can empower users to confirm their identity from multiple
devices, including new ones.

Having face authentication entirely on the device can help confidence in the privacy of the solution,
but in some ways it causes security concerns. It creates a static, sitting target that is likely to be
hacked at some point. Only by monitoring and analyzing attacks and changing to repel them can
sustainable security be delivered. However, as FaceID happens entirely on the device it is not
possible for Apple to monitor or analyse attacks. For this reason FaceID will probably be successfully
hacked, and some of those hacks will be published. This potential vulnerability will make it very
difficult for service providers, especially regulated institutions, to rely on it for some applications.

Key threats to face verification: Apple will have no way of knowing what attacks have been tried and
what worked.

The launch of FaceID raised some interesting concerns about face verification. Amongst these was
the issue of consent. Many people expressed concern that a person could be authenticated to a
device without their knowledge or consent. For example, a thief could pass a phone in front of the
owner's face to unlock it as could a police officer. Although the technology requires the user to face
the device, it is so quick and invisible that the user might not know what is happening. This lack of
active engagement in the authentication process is new, unique, and unsettling. It remains to be seen
whether this could be a fatal flaw in some markets.

It remains to be seen how widely adoped FaceID will be. Clearly, it will be used to unlock the phone
and enable access to all Apple services such as iTunes and Apple Pay. It is also likely that many app
developers will rely on it for user authentication to their services. Like TouchID, it will undoubtedly be
used to permit low-risk activities by banks and other financial institutions. It is not clear if it will be

3
adopted for authentication for more sensitive matters.

Indeed, developers across the planet will be exploring how to use the new FaceID system. By giving
third-party apps access to much of the data used by FaceID, it should be possible to use this new
capability in many different facial authentication products. However, FaceID will probably not be
applicable for one key application of face biometrics - document authentication. This is in heavy
demand from border agencies and financial institutions to smooth the onboarding of online
customers. Because iPhone X with iOS11 in its current form is not a server-based solution it will not
be possible to use it for this application.

However, the expected success of the iPhone X and the stimulus it will give to the whole market for
facial authentication will accelerate the adoption of such applications and many others to the great
benefit of citizens, enterprises, and the public realm worldwide.