iPhone X gets facial authentication, is the enterprise next?
This week, Apple debuted the iPhone X which kills the Touch ID fingerprint scanner in favor of a 3D facial scanning technology called FaceID. Soon, iPhone users will depend on face recognition in order to check email, send a text or call a friend. Here’s an excerpt from The Verge’s initial iPhone X review:
“FaceID works because of the TrueDepth camera system that’s tucked into the display notch at the top of the phone — there’s a lot of sensors packed in there, including a IR depth camera and a projector that throws 30,000 infrared dots on your face. The systems reads the map, matches it against the stored image on the phone using a neural network processor built into the phone, and unlocks the phone.”
While immediate reactions to Apple’s iPhone X announcement on social media have ranged from excitement to distrust and concern, it appears that widespread biometric authentication is here to stay for consumers. But when will facial recognition technology start being used in the enterprise?
Passwords are not secure, are frustrating to remember and take away from an otherwise seamless experience. New enterprise solutions have used fingerprints to access PCs, cloud applications and VPNs. But if people are logging into their iPhones using their facial features, it’s only a matter of time until their office door or a factory floor or their laptop employs the same authentication.
It’s been a common theme that before technology reaches the corporate office, workers have to first use it in their personal lives. Just look at the BYOD trend which stemmed from people preferring their user-friendly devices over legacy enterprise systems and IT department-approved tech. With the launch of iPhone X and adoption of facial authentication in everyday lives, it won’t be long until biometric authentication becomes an everyday security method in businesses around the world.
Biometrics rely on a strong identity, or credential, that is stored locally on a device and used to authenticate to the server side. This prevents biometric data from being stored on actual servers while still leveraging its convenience to access a device. It also provides a flexible form of identity verification for a new concept called continuous authentication, which changes the perspective of authentication from an event to a process. So voice and facial biometrics can continually authenticate users throughout a session without alerting them that they’re being monitored which enables a transparent and seamless user experience.
Say an employee is working on a laptop they logged into using facial scanning technology. Throughout the entirety of the day, the facial scanning technology can do regular checks to ensure that the worker’s identity is still legitimate and the session hasn’t been overtaken by someone else. Once enterprises adopt this new authentication method, it will be particularly useful for organizations with remote workforces to enable secure access anytime, anywhere.
Facial authentication is only the beginning of a new wave of biometric enterprise security. Additional continuous authentication technologies that are being developed include:
- An electrocardiogram (ECG), heartbeat or BioStamp can turn a user’s heartbeat into a unique differentiator that authenticates their digital identity. Whichever system or service a person is using could gain real-time access to their vital signs in order to verify the user throughout the entirety of a session or transaction.
- A person’s gait, the way in which they walk or carry their phone, authenticates them in real-time and ensures they are present when a transaction is happening. This can range anywhere from an employee walking into an office or a consumer banking on their mobile device.
- Cognitive authentication is still in the research stages, but it collects multiple parameters to create a unique user profile. When a person is presented with a novel stimuli, like a familiar photograph or song, it measures their response using a variety of techniques like EEG, ECG, blood pressure volume, electrodermal response, eye trackers and pupillometry. Cognitive authentication would then validate the user by matching the response to pre-recorded metrics.
- Liveness checks use a variety of methods to determine that there is an actual live person initiating and responding to the transaction, as opposed to a robot or an impersonator. For example, facial recognition liveness checks look for blinking to ensure it’s not just a high resolution photo being presented. Other liveness checks may look at the subtle mistakes a person makes while navigating a web page and compare this to the precision of a robot.
- Behavioral biometrics analyze user behaviors such as the pressure someone puts on a device screen, user navigation of apps, cadence of typing, swipe patterns and the time typically spent on a session.
In addition to biometric data, inputs used for continuous authentication technology include device reputation, geography of the user and transaction type. Device reputation in particular allows organizations to provide their users a transparent, secure experience by only enabling step-up authentication when a user’s registered device is elevated as a risk.
For the enterprise, biometric and continuous authentication protect against fraudulent activity such as social engineering, account takeover and malware. Accelerated by the iPhone X’s FaceID, user acceptance of biometrics will have a massive security impact on industries – such as government, manufacturing, healthcare and financial services – that need to prevent unauthorized access to critical data.