Face Recognition Logins: Security and Privacy

Shimrit Tzur-David | October 2, 2017

Nearly all major smartphone manufacturers want you to unlock your phone by showing your face. While not a new technology, authentication by face recognition has undergone some major transformations in the past years, and tech companies believe it should become the default way you secure and access devices that hold a wealth of your personal information and perform sensitive operations such as payments. This includes Apple’s FaceID, Samsung’s facial recognition, and an upcoming technology being developed by major smartphone chip manufacturer Qualcomm.

And to be fair, from an ease-of-use perspective, facial recognition is very convenient. Instead of remembering a passcode of pressing your finger against a sensor, all you have to do is hold your phone’s selfie camera against your face, and your smartphone will automatically unlock itself.

But convenient does not necessarily mean more secure. Here’s what you need to know about the security and privacy implications of using facial recognition.


Your face is not your best-kept secret. In fact, using your mug as the key to your sensitive data is like printing your password on your forehead. That’s why spoofing—using the fake copy of a user’s face to bypass authentication—has been one of the main concerns of facial recognition technologies.

Early generations of facial recognition locks were easily circumvented by presenting images of the user to the device’s camera. Obtaining a high resolution image of a victim is generally easy for hackers, given the amount of data that users generate on the internet.

Later iterations of the technology added a check for “liveness,” such as verifying that the user blinks or moves their facial features. But that too can be countered using various tricks.

The latest versions of facial recognition technology, such as FaceID, the technology included in Apple’s new flagships, include the use of 3D face maps to verify the user’s identity. During the setup process, the phone uses infrared projection to create a 3D model of the user’s face, which it uses in authentication attempts to verify that that the physical features of the user correspond to those of the device owner.

This new technology is much harder to spoof—though not impossible. The main problem is the hardware requirements, which is only available on high end devices such as iPhone 8 and X. Users with older phones won’t have access to face maps, and if they want to use facial recognition, their only option will be the less secure technologies that are available.

Forced unlocking

One of the other problems that users often underrate is what happens if someone obtains your phone and holds it against your face while you’re not aware (asleep, unconscious, looking elsewhere…) or forces you to look at it to unlock it.

The newer generations of face recognition do have some safeguards against this kind of abuse, by verifying that the user is awake and aware and staring at the phone before unlocking it. However, this might not be enough to protect you against criminals who will physically force you to look at your phone.

Where law enforcement is concerned, you’re at the mercy of legislation. For instance, in the U.S., police and federal officers are required to have a warrant to search your phone, but the rule does not apply to airports and border officers.

New iPhones have added a feature to limit the damage. If a phone is connected to a computer, it will require the passcode to access the on-device data. This will make it harder for someone who has forcibly unlocked a phone to siphon its data.

Data collection and storage

Some services might store your facial data on cloud servers, where it can be mined for other purposes. This can give rise to privacy and security risks, especially if the company’s servers get hacked or, if it decides to sell it to third parties or make it available to government agencies. Governments such as China and Russia are deeply invested in facial recognition technologies and would be interested in getting their hands on all the facial data that users are uploading on cloud servers, especially if it involves 3D face maps, which is data that isn’t publicly available yet.

According to Apple, FaceID stores all its data on the phone in the “Secure Enclave” component, which is one of the most secure pieces of consumer hardware available. However, one of the drawbacks of the security FaceID is its “always listening” feature on iPhone X. You never press a button to initiate the authentication—it’s always waiting for your face to show up. This is somewhat similar to the way the Amazon Echo works, which means it is always collecting data. And contrary to your smart speaker, your phone is a personal device that you carry everywhere with you.

Final word

Like other biometric authentication methods, facial recognition is surely convenient, but not the most secure way to protect sensitive operations. It might also fail under circumstances such as unfavorable lighting conditions or when you’re wearing a hat or scarf. The technical barriers for secure facial recognition are also pretty high at the moment.

Password-free authentication methods can provide a more secure and equally friendly experience for safely conducting even sensitive online actions such as banking transactions. Nonetheless advanced facial recognition can be a reliable second-factor authentication mechanism to complement your security.