Subtlety is the Future of Biometric Authentication

Biometric security standards have been evolving ever since the fingerprint scanner came into focus with Apple’s iPhone 5S. Adoption was rapid and the fingerprint scanner is almost ubiquitous now, found on flagship models from OEMs as well as entry level models. However, biometric authentication is evolving to a stage where it becomes truly transparent.

iphone 5s fingerprint set up

Source: Macworld

Biometric Authentication Over the Years

Ever since phones became ‘smart’, they transformed into digital vaults, containing everything from bank account details, emails, pictures (in some cases questionable ones) and other personal information. One of the first modes of security was the pass code, that is still found on many phones, Android took it a step further by giving users an option to draw a security pattern and then came biometric authentication. From the (now humble) fingerprint scanner to 2D face unlock, iris scanning and voice unlock.

For many years the fingerprint scanner was the reigning champion, used for unlocking phones, verifying purchases and everything in between. Other security measures such as face unlock, and iris scanning were still present on many flagship smartphones, but the fingerprint scanner was viewed as the easiest and the most secure way to unlock phones. Face unlock and iris scanning were seen as gimmicky, since factors like bad lighting and different angles caused them to fail, frustrating users who would instantly switch to the fingerprint scanner as their preferred mode of authentication.

The Defining Moment for Biometric Authentication

With the launch of the iPhone X, Apple ditched the fingerprint scanner and launched Face ID which is touted as being more secure than Touch ID. Apple’s website, says that “The probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID)”. Face ID was a revolution for biometric authentication, using a mode of authentication that was as unique as your fingerprint, your face. Unlike previous attempts at face authentication which relied on a 2D map of your face, Face ID creates a 3D map of the user’s face by projecting 30,000 invisible (read infrared) dots which is inherently more secure. In addition to this, problems like bad lighting were mitigated, though extreme angles still cause it to fail.

face id scanning

What Face ID did was to enhance the user experience by removing physical interaction. The user had no mandate to place his/her hand on a particular button or in a particular area, all they had to do was look at the phone and swipe up. Apple’s enhanced focus on security also allayed fears that users might have had about Face ID.

Face ID some might say is almost magical, since users never felt that there was a step they had to take to unlock their phone, of course that sense of magic does disappear when the phone vibrates vehemently indicating that your face has not been recognized and a pass code is required. Face ID on the iPhone X is also a beat slower than the current crop of fingerprint scanners, though reports suggest that the second generation of Face ID on the iPhone XS and XS Max is much faster.

This is of course, the first concrete step towards a better and indiscernible biometric system and many OEMs are catching up with Apple, debuting their own versions of Face ID.

The Danger of Convenience

While biometric authentication is no doubt convenient, there have been many cases of it being used against the very individuals it is supposed to protect. One notable instance being law enforcement forcing subjects to unlock phones with their fingerprint and more recently with their face.

In addition to the above, there are also privacy concerns that have been raised especially with respect to Face ID. Face ID creates a detailed 3D map of your face and privacy advocates have been worried about the implications of this availability to developers and how they could exploit this data. Developers could use this data to gauge real time sentiment (understand how a user is feeling during app usage) and serve ads accordingly and even be able to predict moods of a user throughout the day. Apple has made assurances that this data is secure and apps that use this data must go through a stringent review process, however, lapses can occur with users being totally unaware. One approach to tackling this issue would be to implement frequent mandatory hygiene checks for apps that use Face ID data.

Where Can Biometric Authentication Go From Here?

The next step towards enhancing the security of biometric authentication would be for OEMs to start exploring means by which biometric authentication systems would detect anomalies in facial expressions such as fear or anger. Indicators such as furrowed eyebrows, rapid dilation and constriction of the pupils could serve to lockdown the device with multiple security overrides required before the device became usable again.

With wearables in play (smartwatch shipments grew 37% YoY in Q2 2018), the device could also factor in other indicators such as elevated heart rate and perspiration to understand that the user is under a high level of stress.

Biometric authentication systems might evolve to a place wherein the phone could unlock based on the user picking it up. To make this truly secure, data from the gyroscope, accelerometer, Face ID data and wearable data amongst others could be tapped into (more about sensor fusion here). This would also raise the bar considerably, since an attacker trying to breach a device would not be able to bypass security data gleaned from different sources on the device.

Added security however, comes at the cost of convenience. There could be situations where the phone erroneously refuses to unlock, deeming the user to be under stress. To strike a balance, phones must combine AI, machine learning capabilities and sensor data to enable it to be watchful if there is a sharp deviation from regular user behaviour. Rather than going into full lockdown, the user could also designate certain applications (banking apps, password vaults) that would revoke access immediately.

Biometric authentication methods still need to find the right blend of safety and security while still being convenient. Until then we can hope that this quote from Michael Meade, “A false sense of security is the only kind there is”, does not ring true for much longer.

Counterpoint research is a young and fast growing research firm covering analysis of the tech industry. Coverage areas are connected devices, digital consumer goods, software & applications and other adjacent topics. We provide syndicated research reports as well as tailored. Our seminars and workshops for companies and institutions are popular and available on demand. Consulting and customized work on the above topics is provided for high precision projects.

Term of Use and Privacy Policy

Counterpoint Technology Market Research Limited


In order to access Counterpoint Technology Market Research Limited (Company or We hereafter) Web sites, you may be asked to complete a registration form. You are required to provide contact information which is used to enhance the user experience and determine whether you are a paid subscriber or not.
Personal Information When you register on we ask you for personal information. We use this information to provide you with the best advice and highest-quality service as well as with offers that we think are relevant to you. We may also contact you regarding a Web site problem or other customer service-related issues. We do not sell, share or rent personal information about you collected on Company Web sites.

How to unsubscribe and Termination

You may request to terminate your account or unsubscribe to any email subscriptions or mailing lists at any time. In accessing and using this Website, User agrees to comply with all applicable laws and agrees not to take any action that would compromise the security or viability of this Website. The Company may terminate User’s access to this Website at any time for any reason. The terms hereunder regarding Accuracy of Information and Third Party Rights shall survive termination.

Website Content and Copyright

This Website is the property of Counterpoint and is protected by international copyright law and conventions. We grant users the right to access and use the Website, so long as such use is for internal information purposes, and User does not alter, copy, disseminate, redistribute or republish any content or feature of this Website. User acknowledges that access to and use of this Website is subject to these TERMS OF USE and any expanded access or use must be approved in writing by the Company.
– Passwords are for user’s individual use
– Passwords may not be shared with others
– Users may not store documents in shared folders.
– Users may not redistribute documents to non-users unless otherwise stated in their contract terms.

Changes or Updates to the Website

The Company reserves the right to change, update or discontinue any aspect of this Website at any time without notice. Your continued use of the Website after any such change constitutes your agreement to these TERMS OF USE, as modified.
Accuracy of Information: While the information contained on this Website has been obtained from sources believed to be reliable, We disclaims all warranties as to the accuracy, completeness or adequacy of such information. User assumes sole responsibility for the use it makes of this Website to achieve his/her intended results.

Third Party Links: This Website may contain links to other third party websites, which are provided as additional resources for the convenience of Users. We do not endorse, sponsor or accept any responsibility for these third party websites, User agrees to direct any concerns relating to these third party websites to the relevant website administrator.

Cookies and Tracking

We may monitor how you use our Web sites. It is used solely for purposes of enabling us to provide you with a personalized Web site experience.
This data may also be used in the aggregate, to identify appropriate product offerings and subscription plans.
Cookies may be set in order to identify you and determine your access privileges. Cookies are simply identifiers. You have the ability to delete cookie files from your hard disk drive.