Face, fingerprint, passwords, or PIN: What's the best way to keep your smartphone secure?

Apple's Face ID has caused a stir -- but are biometrics really the best way to boost mobile security?
Written by Danny Palmer, Senior Writer

Video: Face ID beefs up iPhone security. But is it right for everybody?

One of the most talked-about features of Apple's new iPhone X aims to boost your phone's security. Face ID allows you to unlock your iPhone, use Apple Pay, and gain access to secure apps just by looking at their screen.

The feature puts smartphone security front-and-centre, something which many in the industry see as positive step, especially considering how many people don't protect their phone with even a simple PIN.

"Many consumers don't even have a passcode, not even a four-digit one. So with Face ID, it's really as easy as advertised and it will at least encourage people to use [their face] as a passcode," says Corey Nachreiner, CTO at WatchGuard Technologies.

But as demonstrated during Apple's press conference, Face ID isn't always that simple to use. Craig Federighi, the company's senior vice president of software engineering, was forced to use a backup device when iPhone X refused to unlock with his face.

Apple passed it off as a design feature; the phone locked up because before his demo, various Apple staff had been looking at it, failing Face ID scans, and as a result the device locked itself in order to protect the contents within.

Real-life usage can indeed present obstacles for biometric authentication.

"To get a reliable authentication system, you have to be able to accurately measure and compare some unique physiological features. But if you get these features from a smartphone or another simple device, it means shaky-hands-quality pictures and city-noise-backgrounding voices. This kind of biometric authentication will make lots of mistakes," says Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies.

Biometrics are too fallible, she says, especially when it's previously been demonstrated that hackers can remotely steal fingerprints, or that the authorities could forcibly make someone unlock their phone with their fingerprint.

Biometrics also has another issue, in that they can't be altered. If records of your fingerprint or face, or iris, are compromised, attackers could use it to bypass all of your accounts, and you can't realistically reset your face or your fingerprints.

For Galloway, that means the most secure way to protect your phone is with a password -- but it has to be complex, even if that makes the device less convenient for its owner to immediately access.

New to iOS 11? Change these privacy and security settings right now

"In my opinion, a randomly generated long password is still the most secure way to lock a phone. That's not to say it's the most convenient -- it is hard to remember, of course -- but anything that makes a password simpler for the user, also makes it simpler for hackers," she says.

The simplest form of password for a phone is arguably the basic four-digit PIN code used by many. But the risk here is that four digits is relatively simple to crack or even to just "shoulder surf" -- looking over someone's shoulder when they enter their PIN.

Using a pattern to lock the device is about as weak as using a PIN code -- especially given how fingermarks from repeatedly entering the same pattern can appear on the screen -- but both are still better than having no form of user authentication at all.

"Doing something is better than nothing, the longer the passcode or passphrase the better. Four digits isn't the ideal, whereas having a longer code is good," says cybersecurity consultant Dr Jessica Barker.

While she argues biometrics isn't a perfect solution, it does at least move security away from being something which is ignored by users to being something they can more easily use.

"In a general sense, the more we can take security away from being a burden to people, the better. Having said that, I wouldn't want to rely on biometrics to do it. How we take that burden away is something which needs better thought. But doing something is the first answer -- only a small percentage of people actually put any protection on their mobile phone," she says.

A better approach may be layers of security, where users rely on more than one technology.

"My worry with biometrics is we're still using it as a single-factor authentication. For sensitive information like bank accounts, we need to force it to be two-factor, asking for both the password and your face," says Nachreiner.

It may take more time, but two-factor authentication adds an extra line of defence to your accounts, and many are using for web email, social media, and online banking.

It may be that combining biometrics and passwords could go a long way to ensuring your device -- and the details stored within it -- are kept out of hackers' hands.


Editorial standards