I’ve seen a lot of articles around glorifying iPhoneX’s Face ID technology, how it helps people improving their security by simply looking at the phone to unlock it and forget about typing stuff, by avoiding the use of weak passwords, and how consumers are freaking excited about it and its usability.
I think everyone just missed the key point: security is security only when it’s evaluated against a threat model.
Different people have different security and privacy needs, so having a single security measure to protect all of them is impossible. That’s why you can still use PIN or passphrase to lock/unlock your phone.
Building a threat model is key when we talk about security. If you’re an IT security person with a minimum of experience in the field, you know how threat modeling is important to your organisation. It helps you to find gaps in your security measures, it helps to prioritize areas to improve to keep the bad guys out, and it helps you to audit all of these.
We also know how hard it’s to write a good threat model and how companies fail in doing that. Things get even worst when we deal with customers (i.e. single person), since their threat model changes during their lifetime. Today you may want to defend yourself against friends, tomorrow against law enforcement, in a year you may want to protect yourself from the NSA or the FiveEyes. (N.B. I don’t want to question why you have those needs, it’s out of the scope of this article).
If your threat model includes NSA, CIA or law enforcement (i.e. you’re a journalist, or a political activist/dissident), then FaceId doesn’t improve your security posture, at contrary, it lowers it. Law enforcement can use part of your body to unlock devices, but they cannot force you to reveal a passphrase (they can put pressure for sure, but that’s a different story). That’s why fingerprint also is not a good security measure in that situation.
If in your threat model there is a friend who unlock your phone against your consent, then FaceId works perfectly. But even a PIN works (how many of your friends tried to brute force your PIN? And how many attempt they tried? Three? Four?).
My point is: the only security measure that works regardless of your threat model, is passphrase. Or 2 Factor Authentication (something you know plus something you are).
Please note that passphrase is not password. Passphrase is a phrase used as password, and it’s usually a minimum of two words.
I know this may be old school, and I can hear some tech-sawy blogger screaming around saying that passphrase are old, new technologies are arising to improve the user experience while maintaining a decent degree of protection, that we cannot stop progress and innovation. All fair points, but here we are talking about security. And I hardly believe there is someone who will say that something that’s only in your mind is less secure than a face, a fingerprint, an hardware token.
We keep saying that security is a shared responsibility, but in reality we are only trying to make customers’ life easier so they can buy our product without bother too much about security (but let them having the feeling that they are super secure). This is not how we rise the bar to have better security in our devices, nor to have a more educated, security-aware people around. At contrary, we are lowering the bar and the attention on the topic.
I think vendors should create robust and flexible security measures to protect users’ privacy and security and stop advertising the new shiny technologies as breakthrough and super secure.
On the other side, customers need to educate themselves a little bit more by thinking and choosing a reasonable threat model and activating the security features they think they fit into that model.
I know it’s hard, but I believe everyone should really start moving in that direction. Security (and privacy) is a topic people can no longer ignore or refuse to deal about.