As a developer Apple made it the transition from TouchId to FaceId easy with the LocalAuthentication library (more below). But as a user that had grown accustomed to TouchId, I did not like the TouchId button going away. What were the reasons for TouchId to be replaced completely by FaceId. What happened on other platforms like Android and FIDO ? Let’s explore in this post.

Both Touch ID and Face ID are biometric authentication technologies developed by Apple for their iPhone lineup. Each has distinct implementations and security features. Here’s a detailed contrast of the security aspects and implementations of Touch ID and Face ID:

Touch ID

Implementation:

• Technology: Touch ID uses a capacitive touch sensor embedded in the Home button or, in newer models, in the power button.
• Enrollment: Users register their fingerprint by repeatedly placing their finger on the sensor, which captures a high-resolution image of the fingerprint.
• Authentication: When authenticating, the sensor captures the fingerprint image and compares it to the enrolled fingerprint data.

Security Features:

• Secure Enclave: Fingerprint data is stored in an encrypted format in the Secure Enclave, a separate processor within the iPhone’s A-series chip. This ensures that fingerprint data is never accessible to the operating system or any apps.
• False Acceptance Rate (FAR): Apple claims that the chance of a random person being able to unlock an iPhone with Touch ID is approximately 1 in 50,000.
• Liveness Detection: Touch ID includes some measures to detect the presence of a live finger to prevent spoofing with artificial fingerprints.

Face ID

Implementation:

• Technology: Face ID uses a combination of infrared and dot projection technology, known as the TrueDepth camera system, to create a detailed 3D map of the user’s face.
• Enrollment: Users enroll by moving their head around so that the TrueDepth camera can capture their face from multiple angles.
• Authentication: During authentication, the system projects over 30,000 infrared dots onto the user’s face and captures the pattern with an infrared camera to create a 3D facial map.

Security Features:

• Secure Enclave: Facial data is also stored in the Secure Enclave in an encrypted format, similar to Touch ID, ensuring it is never accessible to the operating system or apps.
• False Acceptance Rate (FAR): Apple claims that the probability of a random person unlocking an iPhone with Face ID is approximately 1 in 1,000,000.
• Liveness Detection: Face ID employs advanced liveness detection to ensure the person presenting the face is real and not a photo or mask. This includes attention awareness, requiring the user’s eyes to be open and looking at the device.
• Adaptability: Face ID can adapt to changes in the user’s appearance over time, such as growing facial hair, wearing glasses, or aging.

Comparison and Security Implications

• Accuracy and False Acceptance Rate: Face ID is significantly more accurate than Touch ID, with a FAR of 1 in 1,000,000 compared to Touch ID’s 1 in 50,000. This means Face ID is generally more secure against random attempts to unlock the device.

• Resistance to Spoofing: Both systems are designed to resist spoofing, but Face ID’s use of 3D facial mapping and infrared technology makes it more robust against attempts to bypass it using photos or masks. Touch ID’s liveness detection is less sophisticated compared to Face ID.

• Environmental Conditions: Touch ID can be affected by wet or dirty fingers and may not work if the sensor is damaged. Face ID, on the other hand, can be impacted by certain lighting conditions or if the user is wearing accessories that obscure the face (e.g., certain sunglasses or masks).

• User Convenience: Face ID generally offers a more seamless experience as it works even when the user’s hands are occupied or when wearing gloves. However, in situations where face coverings are required, Touch ID may be more convenient.

Both Touch ID and Face ID offer robust security features, but Face ID provides enhanced security through its more sophisticated technology and lower false acceptance rate. The choice between the two may come down to personal preference and specific use cases, such as the need for convenience in different environments.

Transition from Touch ID to Face ID

API Transition:

1. Initial Introduction:

• Touch ID (iOS 7, 2013): When Apple introduced Touch ID with the iPhone 5s, they provided APIs in the LocalAuthentication framework, allowing developers to integrate fingerprint authentication into their apps.
• Face ID (iOS 11, 2017): With the introduction of Face ID in the iPhone X, Apple updated the LocalAuthentication framework to support facial recognition alongside fingerprint recognition.

1. Unified API:

• Apple designed the LocalAuthentication framework to abstract away the specifics of biometric authentication. This means developers typically don’t need to change their code to support both Touch ID and Face ID. Instead, they use general methods to request biometric authentication, and the system handles the specifics.
• For example, the method LAContext.evaluatePolicy(_:localizedReason:reply:) works for both Touch ID and Face ID.

1. Backward Compatibility:

• Apple ensured backward compatibility, so apps built to support Touch ID automatically support Face ID without requiring significant changes. The system dynamically determines which biometric method to use based on the hardware capabilities of the device.

Developer Considerations:

• Developers are encouraged to check for biometric type (LABiometryType) to provide appropriate messaging or handle specific cases where one type may be preferred.
• Apple provides clear guidelines and updates during WWDC (Apple Worldwide Developers Conference) to help developers transition smoothly and take full advantage of new hardware features.

FIDO on Android

FIDO (Fast Identity Online):

1. Overview:

• The FIDO Alliance is an open industry association aimed at creating authentication standards to reduce reliance on passwords. FIDO protocols use standard public key cryptography techniques to provide stronger authentication.

1. Adoption on Android:

• Android has supported FIDO2 since Android 7.0 (Nougat). FIDO2 includes WebAuthn (web authentication API) and CTAP (Client to Authenticator Protocol), enabling passwordless authentication on the web and mobile apps.
• Google Play Services provide FIDO2 API support, making it available on most modern Android devices.

1. Biometric Integration:

• Android’s BiometricPrompt API (introduced in Android 9.0 Pie) allows apps to integrate various types of biometric authentication (fingerprint, face, iris) in a standardized way.
• BiometricPrompt is designed to support multiple biometric types, providing a unified API similar to Apple’s LocalAuthentication framework.

Face ID on Android:

1. Face Authentication:

• Android supports face authentication through the BiometricPrompt API. The specifics of face authentication can vary by manufacturer, as Android devices have diverse hardware capabilities.
• Devices like Google Pixel 4 and some Samsung models have advanced face recognition similar to Apple’s Face ID, using infrared sensors and dot projection for 3D facial mapping.

1. FIDO and Biometric Standards:

• The FIDO Alliance promotes biometric standards, including facial recognition, but the implementation and quality can vary widely on Android devices.
• Some Android manufacturers implement their own facial recognition solutions, while others rely on Google’s BiometricPrompt API for a more standardized approach.

Transition from Touch ID to Face ID:

• Apple’s transition from Touch ID to Face ID was facilitated by a unified API (LocalAuthentication), allowing seamless integration for developers and users.

FIDO on Android:

• FIDO2 standards are widely supported on Android, enabling strong, passwordless authentication.
• Android supports multiple biometric methods, including facial recognition, through the BiometricPrompt API. However, the implementation quality and technology can vary between devices.