Earlier this month, there was lots of chatter online about the new iPhone's FaceID feature: it allows you to unlock your device just by looking at it. Behind the scenes are some hardware and algorithms which create a 3D map of your face, and determine whether you're the phone's rightful owner.
Many people seemed to not understand the difference between authentication and identification. Both authentication and identification can use biometric data, like facial recognition. Nonetheless, these use cases are fundamentally different. I'll try to explain why — I hope this can enlighten the debate around features like this a little bit.
Authentication is what you do when you log in to some Internet service, or when you unlock your phone. First, you announce your identity to the authentication system (e.g. a log-in page or lock screen). Then, you try to prove to the system that you're indeed who you pretend to be. For an Internet service, identity can mean your e-mail address. For a phone, it's more implicit: you're trying to prove you're the owner of the phone.
The attack model is the following: some evil person pretends to be you, and tries to prove it to the authentication system to get access to your data. This attacker can be of various types:
- an abusive partner who wants to look into your phone,
- a scammer who wants to steal your identity,
- a spy who wants to penetrate a company's network…
Fundamentally, authentication protects against unauthorized access to data.
Identification is trying to figure out who someone is based on some characteristics they have, or data they produced. It's what the police does when running a fingerprint against a database of suspects. It's what privacy researchers do when they try to show that a data release has not been properly anonymized.
The attack model here is that somebody tries to find your identity. To succeed, an attacker needs to have a list of suspects, and enough information to distinguish who you are among all possibilities.
Good authentication vector vs. good identification vector
From these different attack models, a first distinction emerges.
- If a piece of data is secret, it will work well as an authentication vector. Passwords, codes embedded in security keys, or one-time SMS codes, are classic examples.
- If a piece of data is public, or at least known to the attacker, it can work as an identification vector. Names, dates of birth or phone numbers are good candidates.
A second distinction is on the amount of information present in the data.
- To authenticate someone, you don't always need lots of info. For example, a 4-digit PIN code is enough to get a decent security on a phone, provided only a few retries are allowed.
- To identify someone, you need more than this. Even if you somehow get your
hands on a database which contains everyone's PIN code, each one would
correspond to many people. A PIN code alone wouldn't be enough: you need some
context or more data to reliably identify someone.
Biometrics for authentication
Biometrics seem to be blurring the line. Fingerprints are not exactly secret, right? Your face is probably also all over social media. So how come they are more and more used as authentication methods?
It turns out that the secretness of authentication data is not a required property. All we need is unforgeability: an attacker must not be able to impersonate you. If a secret is well-protected, it's difficult to falsify: the attacker can't imitate what they don't know. But biometric info can be quite unforgeable, even if it's not technically secret. It's easy to find what someone's face or fingerprint looks like, but it's hard to create a fake version of it.
Some folks have written excellent articles on the difficulty of bypassing biometric authentication. So, instead of diving into the details, I'll simply recommend this excellent post from Troy Hunt's blog.
Biometrics for identification
Information being public doesn't mean that there exists a central database containing everyone's data. This is especially true for biometric info. Most attackers don't have access to global fingerprint or facial recognition databases (yet)… But when they do, it definitely raises serious privacy concerns.
Classic identification attacks focus on finding the person behind a pseudonym or identifier. Identifiers can be phone numbers, e-mail addresses… Over time, you can change pseudonyms and identifiers1. You can also maintain separate identities, for example when you use a different email address for services you don't trust.
Biometric identification doesn't have these nice properties. You can't change your face or your fingerprints! And you can't use a different right thumb with border agents of different countries, either.
Furthermore, you also have less control over your biometric information. You can decide not to interact with a given online service if you don't trust it. But if you're living a "normal" life in a Western city, your face will most certainly be caught and recorded by many surveillance cameras.
Creating a facial recognition database is becoming simpler and cheaper. In Russia, pro-Putin activists identified anti-government protestors using pictures gathered from social media2. "Researchers" are creating algorithms to detect sexual orientation3 or gender identity4. They used data from dating apps or video sharing services, and didn't ask anyone for consent.
Using biometric data for identification is not inherently problematic. For example, it helps catching violent criminals. Yet, the privacy concerns are most definitely justified.
Are those really distinct problems?
So, biometric identification is creepy, but biometric authentication isn't always problematic. But wait. If people build biometric authentication systems… How do they recognize someone's face or fingerprint if they don't store it somewhere? Didn't the engineers behind FaceID had to build a biometric database? Couldn't evil people use this for identification?
Not necessarily. For many of those tools, it is a specific design goal to not make biometric identification easier. This is achieved through a series of risk mitigation mechanisms5:
- The biometric data exists only on the user's phone, not in a central place. The phone vendor doesn't need to unlock your phone! So it doesn't need this information. The database doesn't exist in the first place.
- The data lives in a specific piece of hardware called "Secure Enclave". This chip encrypts and stores secrets independently of other parts of the phone. Even if a hacker takes control of your phone, or a thief steals it, they can't read the biometric data stored on it. Building a biometric database from hacked iPhones is near-impossible.
- Pictures taken during authentication are immediately discarded. Only the pictures used for enrollment (when you set up FaceID) are stored. This way, you know what is stored on your phone. This way, the chip doesn't store pictures that you wouldn't want stored there.
In addition, some fingerprint systems store only partial information on their users. Remember how a 4-digit PIN was enough for certain authentication systems? Similarly, partial biometric data can be enough to be a good authentication vector. So even if data leaks, the exact info might not be enough to uniquely identify someone.
Authentication is a different problem than identification. Thus, a system designed for the former can also mitigate risk against the latter.
Does this mean we shouldn't worry about biometric authentication systems? Ha! No.
Point of failure 1: the tech
I'm quite confident that Apple's new FaceID system is reasonably secure. Zero-days vulnerabilities for iOS are worth millions. That's a good sign that Apple has a strong security team who know what they're doing.
But there should be a lot of healthy skepticism when anyone introduces a new system like this. Data breaches happen all the time. If a biometric authentication system is badly designed, the potential consequences are catastrophic.
Point of failure 2: the people
Did I convince you that authentication and identification are not the same thing? Excellent. Will most people understand the distinction? I'm not exactly optimistic =(
FaceID will probably make people more comfortable with facial recognition itself. And if the technology gets normalized, this will lead to more problematic uses being more easily accepted.
This week, I heard about future plans for the London public transportation system. They are considering facial recognition as a replacement for magnetic cards containing tickets. Have your face recognized when you enter and leave the subway, get charged later. This is an identification system. The privacy implications are vastly different, and the consequences of security incidents could be catastrophic.
Will people understand the difference?
Are you thinking "wait a second, I can't change my social security number…"? Excellent point! This is one of the many reasons why SSNs make such terrible identifiers. ↩