What's with the face? What I really think of the iPhoneX....

So who was not excited to see the new iPhone? I sure was yesterday sitting at the NYSE wanting to peak at my phone as the announcement was going on. 

As the CIO (Chief Identity Officer) of a biometrics company and just a general gadget tech lover, I am counting down the days to get my hands on my new one. But what I have really been dying to see is the impact of launching a second biometric as a new wave of identity and authentication... 

So what's up with the face? 

As a biometrics geek that spends a ton of time understanding the implications of deployments such as this, I have a few questions and opinions:

Winning Main Stream Adoption.... and Failing Education 

Those of us who have been in the biometrics space for some time can all relate to the impact that Apple has made launching Touch ID four years ago. It has enabled society to see the convenience behind the technology -- not the biometric. 

Most of us average humans likely had no idea what biometrics were until then. I certainly didn't.... and now Apple is saying that their average user opens their phones 80 times a day and 85 percent of those users use Touch ID.

Now Apple is doing this with face recognition... This definitely has the potential to be a big step for adoption of biometrics. Showing users emojis and fun ways to authenticate will certainly do a lot for the advancement of convenience and familiarity of this tech.

What I still fail to see, to me, is the most important thing ever.  Education.

Whether we are talking about the Equifax hack or face authentication on your phone. It's beyond clear to me that we have a long way to go to educate all us average humans. 

Knowledge is power. Understanding your identity and what all this means is no different. 

The only education I see in the news today, other than fun marketing reminders, is all to do with privacy and security. 

This whole process reminds me of my old high school principal. Who, in spite of teaching me great things, used to do it in a way that felt condescending... It was such a turn off and made me not listen at all. What's sad is that some of the noise about privacy and security comes from very brilliant, but sometimes a little nagy-sounding privacy advocates and experts. And guess what? The average person can't be bothered to care!  

But what could it mean...?

1. Privacy

Marc Rogers, a well-known security researcher, who was actually one of the first to demonstrate spoofing a fake fingerprint to defeat Touch ID; tweeted that he has no doubt that he—or at least someone—will crack Face ID. 

Apple's facial recognition technology uses color-based image-recognition in its detection scheme, which would require any simulated face designed to spoof the system to be meticulously colored too. What most haven't talked about is the liveness or contextual detection that should be attached to any facial recognition event.

Just like you and I need to be face-to-face for recognition to take place, or if we are talking via FaceTime and I freeze you'd likely hang up or stop talking until you knew there were actually a human there. This is probably one of the most important components of a biometric solution or modality. 

Some of the haters or privacy folks, will claim that iPhone's Face ID introduces a new problem that Touch ID never did: I've read some discussions about a person's face being publicly-known, and well-documented across social media platforms. And somehow people are saying this is a problem for facial recognition? 

Sure... maybe if spoofing can be done. But if that's the case, then let's talk about the tech. 

But if not... how about talking about Snapchat dog-face filters, or a Facebook album, or an Instagram story, or the camera surveillance that already exists? 

If we are gonna unpack privacy and someone's right to have their "face" used against their will, let's get things straight first... Is it a photo? Is it a biometric? Really what's the education we all have on all those other versions of our face that are already used against our will or maybe with full willingness ? 

What about my face being used by me, but even if I don't want you to?

The other thing I keep hearing is that under the US Constitution, the Fifth Amendment protects what's stored in your head, but not what's on your body. (Or actually really YOU!)

So lots of people out there are talking about the scenario that an officer with a warrant can force you to press your fingerprint on the Touch ID sensor on your phone and unlock it to carry out a lawful search of your data. The same can be said that an officer can hold up your phone to your face and unlock it with Face ID. (A fair point by Apple: Face ID requires the phone owner to have their eyes open.)

My question to this arguement.... is this really about biometrics? Wouldn't we all want to trust that if someone is being arrested they are actually who they say they are? I'd say most of us would say yes to this. So maybe the conversation we need to have is the fact that this amendment was done in 1975? Maybe it's worth a revisit since this technology didn't exist then...? 

2. Security... and spoofing... 

Another hot topic out right now, is one of the most common topics that I get asked about in my day job...

How can this be spoofed? 

From identical twins, to your face getting completely destroyed in a car accident, to this crazy idea of someone building a 3D model of your face.

Some Researchers at the University of North Carolina last year showed that they could use Facebook photos alone to reconstruct a 3D virtual model of someone's face. It could defeat five different facial-recognition applications they tested it against, with between 55 and 85 percent success rates.

So if you have to print a 3D model of someone's face to defeat your phone to unlock, could it be hacked? I would likely say yes. 

If it is yes, don't we all have a bigger problem likely at stake? And to say that this is will be common problem for the average mass of the population is so absurd! 

Fascinating point after looking at all the noise and feedback is that NO ONE is talking about the status quo. NO ONE is talking about how easy it is to hack passwords or PINs.

To me, this is an advance in technology and like any advancement on the path to main stream adoption there will be glitches and changes... but overall to me this is progress. 

This is progress in understanding that convenience has and will continue to trump security and to me make the older models of credentials no longer acceptable. What's the opportunity? We need to educate ourselves, our clients, and build better standards that the universe can adhere to and provide growing input to. 

Remember, we were all afraid of the internet at the beginning.

Next steps: Understand integration hell and interoperability issues. 

Integration hell and interoperability issues will be another massive development effort for all banks, large institutions and anyone looking to allow Face ID as a method of authentication. Now what happens to the face I have on my iPhone vs my Samsung (p.s. I will write another post about this)...?

Well... ain't that funny, I only have one face, but pretty sure I'd have to add it to both, separately...? These algorithms are trying to enable humans to be humans instead of using all these things like PINs, cards, and passwords that society put in place and called "identity." These things aren't humans, but... Face ID and Samsung Face won't be either if they are two different technologies that don't integrate... so are we really changing? Or just adding more to this crazy landscape...?

Last question I have... can I add my husband's face to my phone like I can with Touch ID? If so, how are we really changing the authentication game?