Can Apple transfer its elegance to secure biometrics, access control?

Can Apple transfer its elegance to secure biometrics, access control?

Summary: Apple putting together quiver of biometric, gesture technology but is it shooting for real security or consumer convenience

TOPICS: Apple, Security

With a fresh patent in hand this week for facial recognition, a fingerprint reader on its iPhone 5 and a new $345 million acquisition of 3D-sensor company PrimeSense, Apple seems to be putting some serious body english on the user interface.

Apple facial recognition device touchID primesense
Exhibit 1 from Apple's Facial Recognition patent. No. 124 points to an "image sensor" behind the screen.

Is Apple gunning to re-define interacting (re: authentication) and interfacing with computers, devices - and ultimately "things" in the computing environment at large? And will it re-set expectations for security, as well as, for innovation and convenience?

Apple's newest patent awarded by the U.S. Patent and Trademark office points to a sophisticated array of biometric and gesture-based inputs across a range of devices and vertical industries.

If that is the case (the company isn't saying), can Apple's pedigree for elegant design overcome fickle user acceptance and current shortcomings in biometric technology and lap the field?

"The state of play today in consumer biometrics security is pretty primitive," said Steve Wilson, vice president and principal analyst at Constellation Research. "In security, we're accustomed to rigorous standards and testing; lots of peer review; all encryption algorithms being published. But with biometrics we still don't have agreed upon test protocols."

Wilson said consumer biometrics is all about convenience and has very little to do with serious security.

Apple found that out first hand when the Touch ID fingerprint reader on the new iPhone 5 was hacked shortly after it hit the market. At that point, Apple went silent on the security value behind the iPhone biometric, which today is only used to simplify authentication to the device and gain entry to the App Store.

The facial recognition patent the company was awarded (US008600120), however, isn't confined to the company's "i" branded line of devices.

The patent references everything from devices, to televisions and stereos, portable video players, display devices, vehicle control systems, financial transaction systems, and any "like computing device capable of interfacing with a person."

Apple specifically calls out the need to recognize "passive users," people who are in front of, or near, their devices but are not actively using them. It reads like a tip of the hat to the PrimeSense technology, which is already used in Microsoft Kinect to interpret body movements and voice commands.

In addition, the patent indirectly points out inadequacies with passwords and states: "there is a need for a more efficient and reliable user access control mechanism for personal computing devices." (i.e. - Touch ID and other biometrics).

So it appears Apple is setting up to use biometrics, including gestures (although there is debate as to when a gesture is or is not a biometric) to define authentication and interaction with computing devices.

But will facial recognition, fingerprint readers and sensor technology become a security perimeter for devices or remain convenience features?

Constellation Research's Wilson says there are major hurdles for Apple (and others) who might trend toward a security sell, including transparency, honest specifications, and a lack of standards.

"Sadly we just don't know enough about the technology," he says. "And as a result I have reservations about the trustworthiness of biometrics vendors."

Wilson says there are no real-life test methods in the field for biometric performance. He says the FBI advises that in the field it cannot predict how biometrics stand-up to concerted attack.

"Imagine you were selling a safe to a bank manager but you couldn't tell her how well the safe will perform if a robber comes in with an oxy-acetylene torch," said Wilson

False readings have always been a big concern with biometrics. When False Reject Rates are low it also means False Accept Rates are up, which means security is down.

"Most consumers get all their understanding of biometrics from sci-fi movies," says Wilson. "They have no expectation of errors, or retries. There is a mad rush for novelty."

Wilson says with serious security the expectation is a decade or more of rigorous testing and certification. "With biometrics, vendors positively brag about their new gadget hot out of the lab."

Will Apple do that or will it rigorously test and set new standards and expectations like it has in the past? Touch ID is too early in its development to tell, but right now it does not point in that direction.

Will Apple piecemeal the technology, offering higher grades used on commercial devices or in high-security areas for authentication, authorization and privileged access? Will it let others build the commerical-grade technology and license its patent while keeping its own efforts in the consumer market?

"Biometrics only work for high security when the user is trained and willing to put up with retries in the interest of keeping the False Accept Rate low. Consumers have very low tolerance for false negatives and inconvenience," Wilson said.

Topics: Apple, Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Probably a bit of both

    Biometrics isn't super secure - though combine enough markers and theoretically it is. But it does provide a very convenient form of security that is hard to casually crack. You can't do a big dictionary toss against biometrics, for instance, which gives it an advantage over pass codes.
    • but it is a credential with a glass jaw

      Once the biometric is cracked, you can't change it like you can with a password. Imagine the next Adobe, but instead of cracked password hash tables, it is biometric data.

      You can't change your face or fingerprint quickly.

      You're supposed to use different passwords for different systems. This is in case your credential is copied from one system, your other credentials are still OK.

      You can't use one fingerprint for one system and another fingerprint for another. Perhaps we could use different silly voices for each system. But then, how do you write down your silly voice on a post-it-note and stick it on your monitor in case you forgot?
      • The thing is, it may not matter

        There's an old joke about security - two guys see a lion, one changes from his boots into runners. The other says, "You can't outrun a lion!" He says, "I only need to outrun you!"

        You can't throw a dictionary/mass data attack at biometrics, and a dictionary type attack is the only attack vector most of us deserve. We're not the President, we're not the Secretary General of the UN. Nobody is going to spend hundreds or thousands of dollars and days to snarf a plaster imprint of our prints and make a 3D mask of our face... we're just not work it. What they will do is pinch our phone from our pocket on the street. And biometrics will offer that kind of thief little comfort - they just won't have the data they need to bypass the lock.
        • Problem is mass attacks are getting cheaper

          It's too easy to crack most types of biometrics, they won't really need to spend any significant sum to get into your accounts. And considering the greater number of accounts they'll get into for every biometric they crack, it will be worth it for the attackers.

          Also, it's trivial to get fingerprints from most phones.

          You seriously underestimate how easy it is to duplicate.
    • Biometrics...

      is your username, not your password...
  • Old news?

    Sensors in / behind the screen have been talked about for years and there have been plenty of attempts at facial recognition, how does Apple get a patent on that now?
  • Apple is patenting whatever they can in biometrics

    … so they can sue anybody with the nerve to produce biometrics before Apple does.
    • Then we can read here

      about how Apple invented biometrics (along with the PC, the PIM device, the music player, and the telephone)
  • Convenience and security can be had

    The convenience of biometric authentication is a no-brainer, especially with fingerprints. But among fingerprint scanner/sensor manufacturers, their inherent spoofing vulnerability is the elephant in the room. What is needed are broader implementations of spoof mitigation (a.k.a. liveness detection) technologies for all biometric modalities. These solutions exist today, and their deployment will provide the necessary confidence among end users to adopt the authentication convenience they so badly want. It's unfortunate that Apple didn't do this before bringing the 5S to market.
    Mark @...
    • Liveness detection remains more myth than trut

      Ah, but Apple did represent that the iPhone 5S has liveness detection (they claimed a severed finger would not work). But clearly there is no liveness detection, and that's the serious upshot of the CCC spoof. Whether or not the spoof is economical is debatable; the real point is it should not have been possible at all if there was liveness detection as promised.
      And still there are no standards or test protocols for liveness detection; there isn't even terminology for what it means. It's pretty much a joke. Vendors will say pf their systems "we have liveness detection:" and gullible buyers nod sagely and think ok, no problem.
      There is this pervasive complacent judgement being made by many that the biometric security of the iPhone 5S is "good enough". The point I tried to make in the interview is that we have NO WAY of telling if TouchID is good enough. Apple will not release sufficient technical specs to allow independent threat assessment. This opacity would be unacceptable in any other branch of security. But biometrics vendors get away with it, not to mention their many other liberties.
  • Hmmmm....

    Apple will probably transfer its vulnerability know how to secure biometric access control. Didn't take long before someone figured out how to bypass the face recognition crap.