Why face unlock is a bad idea

Almost every new smartphone now lets you unlock it with your face — and that’s really bad for security.

Authenticating with your face seems like a natural choice when it comes to smartphones. Talk about convenient — you were going to look at the phone anyway, right?

The smartphone industry as a whole seems to agree. Apple wasn’t the first company to come up with the idea of unlocking a smartphone with a face, but after Apple introduced it, in the iPhone X, the whole smartphone industry followed — as it always does. Almost every phone showcased at Mobile World Congress 2018 had this function. It’s a really bad trend, and here’s why.

Actually, I don’t think that face recognition is bad per se. Quite the opposite — done right, it’s probably better then authentication based on fingerprints or PIN codes. But the devil is in details.

Describing how Face ID works, we mentioned the complexity of the recognition system: It involves a regular camera, an infrared camera, and a dot projector, as well as some machine learning, secure storage, and processing. Apple has put a lot of effort and money into making the system fast, secure, and reliable — and it’s charging a nice premium for that, selling the iPhone X for $999.

That price point causes a dilemma for other smartphone makers: Their devices typically sell for quite a bit less, but they also have to keep up on features and specs. They start by trimming things that won’t be missed right away: a cheaper speaker here, slower storage there. Maybe leave out the infrared camera and the dot projector from the face-unlock module — but keep the function; it’s a selling point, after all.

The ability to use your face to unlock your phone is a feature highlighted in marketing materials, but ad copy doesn’t tend to delve too deep into how it works. Perhaps those companies don’t want to explain too clearly how they made their facial authentication significantly less advanced, less reliable, — and less secure.

In most cases, an inexpensive phone’s facial recognition relies on just the front-facing camera and some not-so-advanced algorithms, maybe using a flash to take better photos. But a regular 2-D camera without an IR sensor or dot projector can be easily fooled by photos (for example, snagged from a social media profile) printed on paper or shown on a screen. Even some of the better ones are likely still susceptible to fakery using 3-D printed masks. Even Apple’s Face ID was fooled by an “evil twin” mask attack, but phones relying on simple photos are simple gatekeepers.

Not that bad, but also really bad

The widespread use of face unlocking without adequate hardware will result in lower security overall for modern phones. Fortunately, for now it isn’t usually the default authentication method — codes or fingerprints are more common. And some manufacturers use more secure systems, such as iris recognition, that are harder to fool.

However, face authentication is trendy, so I expect more and more users of cheap Android phones to switch to it (Anything your iPhone can do, my phone can do, too — and at a tenth of the price!).

We highly recommend carefully checking the details of your phone’s face recognition method before enabling it. It must be really secure and not fall for photos or masks, or leak your data, or process data insecurely. Fingerprint authentication isn’t magically infallible, but at this point, it’s more secure — and a six-digit PIN is probably your best bet for now.