Perhaps the software is already advance enough that a user could use a more complex input into the facial recognition system. For example left eye closed. Or nose scrunched. A pout face. And so on. That way the odds of someone forcing the correct input in the limited allowed attempts greatly diminishes.
If I understand current law, one cannot be forced to supply a password or passcode because of 5th Amendment rights against forced, potentially self-incriminatory speech.
A fingerprint is regarded differently. You can be forced to supply a fingerprint because it is something you are, not something you know, the latter being speech which cannot be compelled.
One could use biometrics like facial recognition and still enjoy 5th Amendment protections if a sequence of facial gestures were required to unlock a phone. While the biometric features comprising the sequence are indeed something you are, the sequence is something you know, and constitutes speech, which you cannot be compelled to supply.
So yeah, Officer - I'll stare at my iPhone for as long as you like. It won't unlock until I blink my right eye twice within 1 second and raise my left eyebrow immediately thereafter.
I think maybe a mixture of facial and a pattern for things you specify would work wonders... Like you can unlock with just your face but not all apps should be available. To open apps not safe listed you need to put in a pattern / pin / vocal password based on your own voice or fingerprint or the inverse to open protected apps you need further authorization via other authentication approaches
Apple just had another ios lock screen bypass (for accessing contacts). Do you really want to encourage them to make the app/data access state machine more complex?
No it’s like saying that they can nearly-just-about manage to keep things secure with two states but that they would fail to deal with the complexity of the number of states were increased 50%
This is actually significant, because as a rule of thumb the law can compell physical testimony (e.g. blood test, fingerprint), but not mental testimony (e.g. password, PIN, which finger to swipe, what face to make).
Though practically, I doubt many people will want to scrunch their face each time.
That’s interesting - I don’t experience any difference between unlocking with glasses on and with them off.
I actually thought I did at first, and was a bit annoyed. But it turned out I was just holding the phone far too close to my face when I didn’t have glasses on.
Also if you fail with a sufficiently similar face and then quickly unlock with passcode then it will remember your “new” face and unlock for it. This is to allow the phone to work with eg changes of appearance that a slow (eg growing hair) or sudden (eg cutting it)
That’s the only nit I have with Face ID, which otherwise works very well. I wear blue blocking glasses at night and I haven’t been able to get Face ID to work when I’m wearing them.
iOS 12 lets you register a single alternate appearance for Face ID. Assuming the glasses aren't blocking IR, you should be able to register yourself with the glasses as the alternate appearance.
I'm reminded of the scene in "The Return of the King" where Gandalf wraps the palantir in a cloth because he's afraid Sauron might be on the other end.
New step one when seizing an iphone: wrap it in something opaque...
You wouldn't even need to power off, just require passcode. You'd also need to require passcode to enter airplane mode.
Passcode requirements are pretty opaque though - as is, my Android and iOS devices ask for passcode (vs biometrics) randomly (from my perspective). Would be nice to have proper documentation of all the conditions that force passcode entry.
I find it very strange that Apple is held as a champion of privacy while simultaneously creating a culture of incredibly poor passwords. Perhaps the problem is that there are “two” privacies - the everyday protections against, say, Facebook, and the more traditional worry of a journalist in a hostile country.
Either way, I think we need to be taking this more seriously - most international borders require you now to take a picture. But forget countries, Disneyland now takes your picture by having an employee point an iPhone at you, a device equipped theoretically with the same technologies to reproduce whatever face data is necessary to get into your phone. To me, the “triumph” of FaceID and TouchID is analogous to Apple having “solved” the password problem by just auto-selecting “123” for everyone. Part of the responsibility of privacy protection is in the culture you build and how you implicitly educate your user through your designs. Apple bends over backwards telling everyone how crazy secure FaceID is, while potentially setting them up to have their data entered into incredibly easily when dealing with the most dangerous adversaries.
There was a great opportunity here to make a great feature that also educated the user: FaceID could have for example been an Apple Wallet feature. Credit Cards are a system built to expect fraud. They are expected to be stolen, and that’s why they build in a system to reverse charges. Telling a user that an Apple Pay charge can be quick and painless with FaceID (and avoid a full phone unlock) since the danger is not permanent would have still been more convenient than before. At the same time, by requiring the user to type a full password to access their data, the user would implicitly be taught that data theft is for some reason more dangerous, and thus begin to build the same intuitions computer-literate users have. In fact, if all the user did was use FaceID for their credit cards and no password for their photos, it would account for most of “normal” people’s security concerns, without also inadvertently confusing the security conversation where activists may not know the proper way to secure their data.
On the other hand, since people don’t want to bother entering a long password every time they pick up their phone, they’ll be more likely to disable it entirely.
Also, even if you are not famous or in the spotlight too often: I can think of many occasions in the public where I rather look at my phone to unlock it, then enter a complex number/password.
Being honest, for many people, they're not going to be in many situations where they need to worry about this. And when they are, they have some advance time, like they've decided to go protest this weekend. They could have face unlock on most of the time, but switch to a password for those times.
As a largely security-conscious person, I'd love to, but there's a non-zero chance I'll lose all my data since my last backup by being triggered accidentally in my pants pocket.
It is not really possible to accidentally trigger this in iOS. After the first few tries there is a longer and longer delay before you can try again, so it takes wrong tries over many hours.
> your face and/or your fingerprints are not passwords
How absolute do you think this is?
In the U.K. this would be an illustration that your face and/or fingerprints are passwords as the police can compel you to give any of them (or go to jail), including passwords that you don’t know.
They are more of a second factor ("something you have") rather than a first factor ("something you know"). That being said, for the vast majority of people, the only attack they're worried about preventing is their phone being stolen then subsequently used to access their financial accounts, mail, or social media. This attack is handled well by FaceID, since if criminals are in possession of your phone and not your person, it's unlikely they'll succeed in unlocking your phone. On the other hand, if they are in possession of your person as well, then they have straightforward approaches to compel you that no amount of phone technology would protect you from.
There was recently a story of a married couple flying. The wife thought the husband was cheating, so after he fell asleep, she unlocked his phone right there and read everything. She didn't handle the news well.
Hold the lock button and one of the volume buttons for 3 seconds. This disables biometrics, and gives on-screen swipe options for MedicalID and Emergency SOS. Pressing the lock button 5 times also disables biometrics, begins a 3-second countdown to auto-call your Emergency SOS contacts and 911. One nice touch is that the language used to let you know Touch/FaceID are disabled doesn’t rat you out to the cops (just says that Touch/FaceID doesn’t recognize you, not that you intentionally disabled it). If these don’t work for you, there are options under Settings, Emergency SOS.
Correct me if Im wrong but FaceID will not work when Im dead right? The underlining software detects temperature similar to thermal detector and thats the way it builds an image of your face no?
This discussion arises because we collectively wish for a completely secure (as in does not unlock unless you want it to) yet near-instant unlock mechanism.
It's not that OP worries they might be doing something sketchy enough that law enforcement would go through those lengths. The issue is that Face ID's difficulty to crack is a function of time, not knowledge. Thus, it is not the holy grail we seek, and if you have anything of interest on your phone, whether political, corporate or just illegal, it's not even an option if you wish to secure your system.
I’ll be honest, if I’m dead... you’re welcome to it all.
I’m much more worried about a court compelling me, while alive, to provide my face or fingerprint. They can easily force biometrics out of me, but they’d have to torture a passcode out. Even if I have nothing to hide and/or give it up in the first five minutes at least that was my choice and not one made for me.
Saying the below potential ideas with the tin-foil hat aside, just potential worst case scenarios.
Could access Employee/Employer/Client Data?
Open the password manager with access to vendor/company login info, ssh keys. Could access company systems with access to more data. Could change data/commit code etc to those systems remotely/temporarily.
Be able to open 2 factor apps that could enable access to financial info (tax/theft etc), which could hurt loved ones/heirs. If you were an investment advisor/trader the offender could make trades/wire money on client accounts.
I think law enforcement is one concern but a wealthier/powerful user could attract other parties.
If you died over a long holiday weekend or vacation, that access could go undetected long enough to have consequences.
> The underlining software detects temperature similar to thermal detector and thats the way it builds an image of your face no?
No, I'm not aware of any thermal sensor used for FaceID. It builds an image of your face using an IR camera paired with an IR projector just like the first generation Kinect (made by PrimeSense that was bought by Apple in 2013). Keep in mind that this is near IR, not far IR that's used in thermal imaging.
I think the future defense against this sort of thing is more situational awareness on the part of the phone. You won't just have to fool the biometrics, you'll have to do so without making the phone suspicious at any point. My guess is that phones already have enough sensory data to pretty reliably distinguish everyday usage from being stolen or confiscated, and it's "just" a matter of fitting a model. Nor does the phone have to ignore what happens to it after it's unlocked.
No one tries this sort of thing on people or animals, and it's because they don't shut their perceptions off at all times except for a half second when they are authenticating someone.
I wonder when the app that wipes your phone if the GPS shows it to be at a police station or an evidence lockup will come out and what are the repercussions of having such an app will be.
There was the guy who sold the "secure" phone (it was targeted at drug dealers and cartel members). He would remote wipe them if they were in police custody. He's now going to jail.
Courts take an extremely dim view of the willful destruction of evidence.
That’s a bit different if he actively wipped them once he knew they were in police custody that is tampering with evidence.
However a self destruct mechanism that is either on a rolling timer or event driven for which you don’t need to take an action to initiate it but must take an action to stop it could be a legal loophole but it sure won’t look good in court.
> Apple makes it very easy to quickly disable Face ID [...] simply press and hold the side button and either power button for several seconds.
It would be nice if it were even easier. E.g a triple click of the power button — something that you could do with one hand in your pocket in less than a second.
I don't think it's actually any more effort than a triple-click. "Several seconds" actually means 2 seconds, so you can basically grab your phone and squeeze for two seconds to disable Face ID. It's probably less obvious than a triple-click too, because there's no repeated clicking noise. Whether you're attempting to triple-click or hold volume + power you'll need a good grip either way, and you may be able to triple click in one second vs. a two-second hold, but I think the probability a literal second would make a difference is pretty low.
Re rubberhose security: Face ID and Touch ID were both major security blunders by Apple because these enable security services and criminals to compel anyone to unlock their devices and incriminate/rob themselves. Only what someone knows, rather than what someone has, cannot be chopped off, presented or forcibly-applied to unlock a device... revealing information under duress is a choice, having a fingerprint taken to unlock a device is not a choice.
Apple isn’t a security focused company though, its a consumer goods company where ease of use trumps most other things. With that in mind, biometric posing as security is great for their bottom line. Security or privacy is sometimes a nice byproduct of how they want to market devices.
