Biometrics for convenience is different than biometrics for security
Updated: Dec 3, 2019
This month at Black Hat a researcher demonstrated how to bypass Apple's Face ID liveness detection using some tape and a pair of glasses. While you still need an unconscious user to carry out this attack, it does demonstrate that all systems have a weak link.
Face ID's weakest link, however, is not its liveness detection system but rather its fallback mechanism. In case of a failure to authenticate with Face ID, iPhone allows the user to fall back to a passcode or a passphrase. Even if the attacker doesn't look like the real user at all, yet happens to know the user's passcode to the phone, they can still unlock the phone.
Face ID is a really strong biometrics mechanism but the authentication process used to unlock the iPhone is not a fully biometric process - it's a process that lets the user (or the attacker) choose between biometrics and a passcode and therefore is as weak as a passcode. An attacker that managed to steal the passcode will manage to log in, regardless of whether the real user only uses Face ID to log in.
Recently WhatsApp added a feature to protect your chats with Face ID. Once enabled, you first need to authenticate with Face ID and only then get access to your chats. But guess what happens if you fail the Face ID authentication process? Yes, you fall back to the phone's passcode. So for a phone that is already locked with Face ID or a passcode, this feature doesn't add much value as the same code can be used to unlock the phone and unlock WhatsApp.
With iPhone, biometrics are offered for convenience. It's supposed to be quicker and easier to log in with Face ID than a passcode. iPhone doesn't offer biometrics for security purposes as at any given time the user or the attacker can opt out and use a passcode instead. There is a big difference between biometrics for convenience and biometrics for security.
I realized that, unfortunately, not everyone was aware of this when building sensitive applications. Using biometrics for security purposes requires a risk-based approach where the results of the biometrics authentication process are carefully assessed and correlated alongside many other indicators gathered from the device and the session. Continuous Adaptive Risk is key to secure any architecture that holds sensitive information.