The majority of negative commentary I’m seeing about Face ID in particular amounts to “facial recognition is bad” and that’s it. Some of those responses seem to be based on the assumption that it introduces a privacy risk in the same way as facial tracking in, say, the local supermarket would. But that’s not the case here; the data is stored in the iPhone’s secure enclave and never leaves the device. More than anything though, we need to remember that Face ID introduces another security model with its own upsides and downsides on both security and usability. It’s not “less secure than a PIN”, it’s differently secure and the trick now is in individuals choosing the auth model that’s right for them.
via Troy Hunt: Face ID, Touch ID, No ID, PINs and Pragmatic Security
Good read here on the pragmatic nature of what Apple is doing by pushing technologies such as Touch ID and Face ID in its devices. No, they aren’t foolproof and there are downsides. But Face ID is a way to help ensure that the “mainstrem” of security-apathetic users of these devices have at least some protection if their device is stolen etc.
However, that most people simply ignore or don’t care enough about basic security options such as 2 Factor Authentication that is available on most of the web and financial etc services we all use is appalling.
I’m constantly urging clients to use services such as 1Password or LastPass for their password generation and storage as well as services such as Authy which make it easy to use 2 Factor Authentication (and safer than relying on SMS for codes).
“But I’m a nobody. Who would want to hack my GMail or Facebook or Twitter?” isn’t a viable rationale or excuse anymore, if ever!