XM -Blog

Face ID And Biometrics – Are We Choosing Convenience Over Security?

November 9th, 2017

Security of Biometrics Over Convenience of Face IDs

When you rush to your car in the morning, the only thing you need to unlock it and switch it on is a piece of metal with a computer chip. That’s your car key.

Anyone with the key can use your car. It’s certainly possible to make your car more secure, and resistant to anyone but you driving it. But does that make sense for something that’s meant to be driven many times a day, and often entered or exited at moment’s notice?

Security versus convenience is a sliding scale. It’s a trade-off that we make several times during the course of the day. Service providers and product manufacturers think about this trade-off all the time too.

For instance, at Xpress Money, we’re absolutely committed to great customer service and rapid transactions. At the same time, we have Know Your Customer (KYC) and security regulations to meet. Hence why our frontline teams are regularly trained to reconcile the two: give people rapid service with a smile while fulfilling security needs.

So how do you decide where to land on the security vs. convenience sliding scale? A good way of starting is by thinking about the consequences of a breach. Your car probably doesn’t need world-class security; having it stolen is inconvenient but will not ruin your life. But consider what might happen if someone managed to access all your emails – and then locked you out of your own account. Move further along the consequence scale and imagine someone getting into your bank accounts and authorising transactions on your behalf. That would be a life-changing event, and in a negative way.

So, cars can be convenient. Your password to the online flower merchant can afford to be something easy you’ll remember. But access to online banking must be carefully guarded.

For sensitive applications, most security protocols ask for two-step verification – where a clearance code is sent to your phone when you enter the right password. Alternatively, it could be presenting two different forms of ID, or being asked security questions.

Strong passwords and two-factor verification aren’t the most convenient way of going about your day. Many people create complex passwords that they then have to write down, which rather defeats the purpose. And getting SMSes to your phone with authorisation pins after entering the right password is a tad cumbersome and time consuming.

Fortunately, there is a third way – tech-driven innovation in biometrics. In the early 2000s biometrics – using physical characteristics such as faces, hand geometry and iris scans to verify identity, were somewhat nascent and still a bit hit and miss.

Fast-forward to 2017, and you’ll come across adoption milestones where most smartphones in the market are using fingerprint scanners to unlock them. Not only has the technology become robust enough for regular use but also cheap enough to be mass-produced. While security experts have warned that fingerprint scanners can be fooled, Apple has noted that the change of a false match on its fingerprint system was 1 in 50,000 with just one fingerprint enrolled1. Those aren’t bad odds for a device that users unlock around 80 times a day 2. The point is – a spymaster could ostensibly fool your phone with fake fingerprints, but chances are your phone and its contents just aren’t valuable enough. If they were, you’d give up convenience for far more security.

The newest development in this age-old debate between security and convenience is the new Face ID scanners on the iPhone X. It’s still early days, but it seems like the technology offers great convenience mated to a high level of security. Early testing shows the scanners are not fooled by two-dimensional pictures, masks and other subterfuge – although apparently identical twins can game the system.3

So here’s the bottom line: As long as you don’t have an evil twin determined to hack your phone, it’s safe to say that modern biometrics are just about good enough to keep your data and information safe. But for more sensitive applications, you’d still need to head for multifactor authentication.



1. https://www.nytimes.com/2017/04/10/technology/fingerprint-security-smartphones-apple-google-samsung.html

2. https://www.independent.co.uk/life-style/gadgets-and-tech/news/iphone-unlock-apple-phone-security-privacy-touch-id-fingerprint-sensor-a6990701.html

2. https://mashable.com/2017/10/31/putting-iphone-x-face-id-to-twin-test/#BbvlEkWB3qqc