With the introduction of iPhone X and the new biometrical security feature Face ID in September 2017, new security concerns of users arise. In the center of all discussions are concerns regarding data privacy, since the iOS devices are now storing finger prints (Touch ID) or the users' face (Face ID). The following article focuses on diminishing with (negative) rumors and gives an overview about the topic.
What are Touch ID and Face ID?
iOS devices (iPhone, iPad) are equipped with biometrical sensors, which control the access to the device. The following features are available:
- Touch ID: a finger print sensor (CMOS sensor) reads the finger print and unlocks the device for instance. At the moment, up to 5 fingers can be stored.
- Face ID: the device camera (TrueDepth camera) on the front side scans the face geometry and unlocks the device for instance. At the moment, only 1 face can be stored.
How do the biometrical functions Touch ID and Face ID help with using the device?
The biometrical functions do not replace the device passcode fully, but are a good enhancement and shall make the device usage easier. To use Touch ID or Face ID, the device must be secured by using a passcode. Without a passcode, it is not possible to use Touch ID or Face ID.
Touch ID and Face ID can replace the device passcode in the following cases:
- Unlock the iOS device
- Confirm of purchases in AppStore or iTunes Store
- Authorize payments with Apple Pay
- and more...
In a couple of cases, the usage of the passcode is inevitable - after a device reboot or when changing the device passcode itself for instance.
How secure are Touch ID and Face ID?
The finger prints and the face are stored in the so called 'Secure Enclave'. This component is a separate assembly within the processor, which was designed with a special focus on security.
Probability of similar characteristics
Apple mentions the probability of people with similar finger print or face characteristics, that are able to unlock the device, as follows:
- Touch ID: 1 to 50,000 (when storing one finger!)
- Face ID: 1 to 1,000,000
In relation to the population of Germany of about 82 million people, there are mathematically approx 1,600 people with similar finger prints or 82 people with similarface characteristics.
Storage of Data
The finger prints or the users' face are stored permanently in the 'Secure Enclave' are never sent anywhere. If the user wants to unlock the device for instance, the sensors are sending data to the 'Secure Enclave' and the comparison is done there. The 'Secure Enclave' compares the scanned characteristics with the stored ones and only returns a 'true' or 'false' in case there is a match or not. Therefore, apps never have direct access to the stored information in the 'Secure Enclave'.
The one-sidedness of the data flow to the 'Secure Enclave', that means, that data can only flow to and not from the 'Secure Enclave', also applies in the following cases:
- the stored characteristics of finger prints or face are never uploaded to iCloud and are only available on the device
- the stored characteristics are not contained in a backup - neither in iCloud backups nor local backups
When storing characteristics in 'Secure Enclave' (Face, Finger prints), the device uses a mathematical algorithm to generate a digital representation. This algorithm is comparable to the generation of a hash value. It is best practice, to store passwords in databases not in cleartext, but as hash value.
A hash value is greatly simplified comparable to a cross-sum. The cross-sum of a number is a reduced representation of the original number, the cross-sum 24 (3 + 2 + 4 + 8 + 7 = 24) is obtained from the number 32487. This is a one-way function, i.e. the original number (here: 32487) can not be reverse engineered from the cross-sum.
The characteristics of fingers or face are stored in the 'Secure Enclave' using the mathematical representation.Therefore, the original finger prints or the face cannot be reproduced (respectively only with huge efforts!).
There has been media coverage about a patent, which describes the synchronization of finger prints via iCloud recently (also see in german: https://www.heise.de/mac-and-i/meldung/Touch-ID-iCloud-Sync-fuer-Fingerabdruecke-taucht-in-Apple-Patentschrift-auf-2518418.html
). At the time of creating this article, there are not further information about the actual implementation of the patent itself and therefore cannot be assessed, if this could pose a threat to the biometrical characteristics. Basically, this patent would violate the principle of not transferring data from the 'Secure Enclave' anywhere.
Possibilities to by-pass Touch ID or Face ID
In the last years, there has been a lot media coverage about possibilities to by-pass Touch ID (also see in german: https://www.heise.de/security/meldung/Fingerabdrucksensor-des-iPhone-6-ueberlistet-2399891.html
). In these cases, a finger print dummy was produced using negligible effort to unlock the iPhone.
The possibility to use a dummy to by-pass the finger print sensor seems to be not very surprising, because the dummy is an exact representation of the actual finger. By having a closer look at this technique, the assumed 'flaw' cannot be considered as a real flaw. A comparable situation can arise, when someone is spying out the device passcode.
Hence there is an assumption, that someone can use a photograph to by-pass Face ID of the iPhone X to unlock the device. This flaw seems to be tackled when the iPhone X was designed by Apple, since Face ID is measuring the face geometry (that means, the proportions such as height differences between nose and eyes are measured). A photograph does not have a comparable geometry, since it is a flat representation. A device unlock by using a photograph seems to be unlikely.
Apple seems to have walked the right way when implementing security into Touch ID and Face ID. Regarding physical security and data privacy, the current design seems to follow good practices to ensure confidentiality of data.
The stored characteristics of finger prints and face are never leaving the device and they are stored using a mathematical representation, which makes it nearly impossible to reconstruct the original information.
If the assumed flaws, the creation of a finger print dummy, can be considered a security hole, has to be checked individually. The deactivation of Touch ID seems not be a viable solution since the device passcode can be spyed out by other people.