Phishing attacks continue to be the root cause of a considerable number of data breaches. Typically, these incidents occur when employees are enticed into giving up their login credentials in response to a cleverly designed, yet fake email. Thus, network passwords, combined with employee susceptibility to phishing emails, remain a major security weakness for corporations.

Passwords and Employees

A recent report by Israeli security firm Secret Double Octopus (SDO), reveals that despite policies intended to protect passwords, many employees do not take appropriate precautions. SDO reports that, based on its surveys, about 59 percent of employees rely on paper notes, documents, or electronic text documents to store work-related passwords. Even worse, fourteen percent of respondents said they share work-related passwords, while 21 percent admitted to reusing their work passwords for personal online services. Five pecent of employees admit they have entered their work-related passwords into fraudulent forms/web pages – “admit” being the operative word.

So, what’s the solution to this password/employee mess? According to SDO’s report, many employees favor dumping passwords altogether and instead using biometrics, such as fingerprints or facial recognition, based on perceived ease of use and trustworthiness. And biometrics appear to be gaining momentum in general public use and acceptance, with a recent forceful push by consumer device makers. In fact, just this month (November 2017), a new smart phone was released that uses “Face ID” for user authentication.

What is Face ID?

So what exactly is Face ID technology? A recent whitepaper on Face ID Security addresses these questions related to the recently released smart phone. According to the white paper, when a user looks at their phone to unlock it, cameras built into the front of the phone capture face data by projecting and analyzing over 30,000 infrared dots to generate a depth map of the face and also a 2D infrared image. The facial map and infrared image data are in turn used to calculate a mathematical representation that is compared with the facial data that the user previously saved when the phone was initially set up for Face ID. If there’s a match, the phone is unlocked.

Face ID Security

So how secure is this process? The white paper states that the Face ID data is encrypted and protected with a digital key available only to the “Secure Enclave” on the phone (which is a separate part of the computer chip partitioned from the phone’s operating system). And the Secure Enclave doesn’t store any actual facial images of the user, just a math representation which cannot be reverse-engineered. Also, Face ID data doesn’t leave the device’s Secure Enclave and is never backed up to the company’s servers or anywhere else. The whitepaper further states that the probability that another person could look at your phone and unlock it using Face ID is approximately 1 in 1,000,000 (but watch out for “evil” identical twins).

Privacy Concerns

Senator Al Franken, D-MN, a member of the Senate Judiciary Subcommittee on Privacy (and perhaps familiar with privacy issues since a 1988 lost wallet incident), has expressed concern that “an individual’s faceprint is permanent, public and uniquely identifies its owner. As a result should a bad actor gain access to the faceprint data that Face ID requires, the ramifications could last forever . . .”. In other words, although you can change a compromised password, you can’t change your face.

Also, tracking of facial features is not always limited to just user authentication. Third-party app developers may be able to access certain facial data for “augmented reality” features in games and apps. As one company’s development tools provide, App developers can “enable a revolutionary capability for robust face tracking in [augmented reality] apps. See how your app can detect the position, topology, and expression of the user’s face, all with high accuracy and in real time.” This enables developers to use face tracking and face detection to enhance a 3D character.

While the technology is fascinating, the privacy concern is that the facial tracking features could potentially be used by advertisers and marketers for data mining purposes, such as reading facial expressions in response to ads. However, implementing appropriate rules for developers can help address these issues. For example, these developer guidelines specifically state that facial mapping tools “may not be used for advertising or other use-based data mining, including by third parties.” Nor can personal data, such as facial mapping, be shared without first obtaining the user’s permission.

Biometrics Are Here to Stay

Despite these privacy issues, it’s clear that biometrics, whether using finger prints or facial maps, is here to stay. It remains to be seen if the facial data generated ultimately remains secure. Also, will app developers attempt to bypass the rules that companies put in place to address privacy concerns? Certainly face recognition has its own unique legal challenges that creates potential privacy risks and liabilities for companies that use the technology, developers that take advantage of the facial data created, and, of course, end-users, whose face data is now the key to unlocking their device.