When the iPhone X eventually arrives in November it will come loaded with a futuristic camera module that, if all goes right, should let you securely open your phone with little more than a glance. The promise is enticing—a perfect blend of convenience and security that’s hard to come by in mobile computing devices. After an impressive demo of the tech on Tuesday, we’re left with a glaring question: If it works as intended, then what happens to Touch ID?
Touch ID is Apple’s original futuristic security measure. Press your thumb to a capacitive touch sensor that rapidly searches for a (relatively) unique pattern formed by the whorls of your fingertips. Once it spies it, the phone unlocks, and like a 90s-era hacker “you’re in.” It feels like magic, and even now it can feel like the future if you’ve been stuck on a phone with a lesser fingerprint scanner or none at all. There’s no peering at the screen and racking your brain for a pin. All you need is a touch.
Only this futuristic technology isn’t especially new. “Fingerprint scanners have been around a long time,” Nasir Memon, a computer scientist with a focus on cyber security and chair of the New York University Tandon School of Engineering told Gizmodo. Toshiba actually introduced the tech into phones back in 2007 with the Portege G500 and G900. That’s six years before Apple introduced the tech in the iPhone 5s, and Apple only introduced the tech after first acquiring one of the biggest names in fingerprint technology, AuthenTec. It bought its way into the land of Touch ID, and while the Apple-branded tech has since popularized opening your phone with a touch, it’s not without problems. Chief among them is the security risk.
Touch ID doesn’t just secure one unique fingerprint scan in your phone, it can have dozens depending on how many fingers you register. Memon claims that, “what it’s doing is capturing small, small squares—little partial fingerprints.” According to Memon, who recently published a paper in IEEE Transactions on Information Forensics & Security based on his findings, each fingerprint creates eight to ten of these partial fingerprints, and due to the size of the sensor those partials are tiny. The more fingers you add to open the phone, the more tiny partials you produce, and the more at risk you become of someone randomly (or more likely purposely) finding the right tiny partial needed to get into the device.
Memon is careful to point out this problem isn’t the end of the world. The chance of a stranger randomly touching your phone and opening it is small. But it makes the device less secure, and if you’re carrying big coveted secrets on your device, it makes it more likely a bad actor could have an easier time getting in. Face ID is more secure. Phil Schiller senior VP or Worldwide Marketing at Apple claimed that Touch ID had a 1 in 50,000 chance of opening with the wrong finger. He claimed Face ID had a far less scary 1 in 1,000,000 chance. There should be only one face that looks like yours, with the same curve of cheek and jut of chin. Matching to one face instead of one of ten or more partial fingerprints is instantly more secure—provided your identical twin isn’t an asshole.
The bigger problem Touch ID faces is the trend of phone design. Look at the iPhone X, the Samsung Note 8 and S8, the LG G6, or even devices from less known (in America) makers like Huawei and Xiaomi. The bezel is quickly getting killed off on premium phones. Instead, the display takes up the whole front of the device, leaving little room for a fingerprint scanners. While most Android makers have simply moved the scanner to the back of the device, it’s an inelegant solution. Blindly looking for the right spot to touch on the back of your phone is a minor but crucial inconvenience compared to a quick press of the home button on the front.
Qualcomm, the chief provider of CPUs to Android phone makers (and one of the primary providers of wireless chips to Apple) introduced its own solution to this thumbprint problem last year. This solution was based on the much newer ultrasonic fingerprint scanning tech, which blasts your finger with harmless ultrasonic waves to quickly create a 3D image of the skin, detailing the exact depth of every ridge and valley in your whorls.
The original solution Qualcomm introduced last year could go through glass and...not much else. That meant it couldn’t go through OLED displays like those in the new iPhone X or the Samsung S8. According to Seshu Madhavapeddy, VP of Product Management of Qualcomm (and before that VP and GM of Mobile Computing there), in a conversation with Gizmodo, the limitations of the sensor made it difficult to integrate into the designs of a lot of the major phone makers. So difficult that exactly one phone launched with the tech, the Xiaomi Mi 5s. “The first generation of fingerprint sensor we had could not be universally used by all smartphone makers,” he told Gizmodo.
Which is why this year the company introduced a second generation that can go through thicker glass and through other substances—like an OLED display. Problem solved, right? Apple, Samsung, and the rest should be able to immediately fold this tech into their newest neatest phones and let TouchID and its competitors happily live on.
Not exactly. Because ultrasonic fingerprint sensors are still, in many ways, bleeding edge technology, and bleeding edge doesn’t gel with the demands of security technology. When it comes to securing the device you use all day every day you need to balance cool-as-hell new tech with stability and consistency.
“I think I could foresee some challenges because of the plate that is adopted that might result in some ultrasonic phenomena that might be a deterrent to getting a good quality fingerprint,” Arun Ross, professor of computer science and engineering at Michigan State University told Gizmodo. Basically, it’s much easier to acquire a bad scan with an ultrasonic fingerprint sensor. You have to account for every little aspect of the device. Errant signals, a bad bit of soldering, even a scratch in the glass could potentially contaminate a scan and ruin the phones ability to open with a touch. The technology is possible, but between limitations of the tech and manufacturing its much more difficult to implement than the capacitive touch sensors Apple first put in a phone four years ago.
This is a fact supported by a report in the Wall Street Journal earlier this month. “Apple tried to embed the Touch ID function, or fingerprint scanner, in the new display, which proved difficult.” It proved so difficult to implement in the phone that Apple, and its manufacturers, reportedly had to scuttle the whole idea, focusing on Face ID instead.
This all seems to imply that the new flagship of the iPhone lineup probably won’t be getting Touch ID anytime soon, and that means the just introduced Face ID might be the future. As with the headphone jack, Firewire, and the CD drive, it feels like Apple looked at the lay of the land, saw where the future was, and decided to just go there, flipping the past off as it sped away.
Whether or not Apple bungled the manufacturing, focusing on Face ID and the tech behind it actually feels like a smart forward looking move (I’ll still miss Touch ID). Unlike ultrasonic fingerprint readers, the basic tech behind Face ID has been around a while. This is mature, relatively reliable technology that doesn’t produce the frustrating manufacturing and design problems the alternative has provided. Microsoft released a version of facial recognition back in 2015 as part of the Windows 10 launch. The tech, which uses an IR camera to scan your face regardless of lighting scenarios, has achieved a measure of stability two years in—even if it will sometimes fail to read your face if you take the glasses off that you normally wear.
Apple’s version of facial recognition has the potential to be even more accurate and secure. The camera module used doesn’t just include an IR camera and photo camera. There’s also a projector shooting 30,000 IR dots at your face to create a map. By mapping, Apple claims, it can get around problems faced by face recognition technologies by competitors like Microsoft’s Windows Hello. Chief among them—Apple should be able to recognize your face whether you’re wearing glasses or not.
I say “should” because Apple actually had trouble with Face ID during the live demo at the iPhone X event. During the demo Craig Federighi, senior VP of Software at Apple, failed to actually open the phone with a glance. Instead he had to, embarrassingly, open the phone by inserting a pin number.
If Face ID performs that poorly in the model shipping to consumers in November, it will leave the company’s biometric security array in a world of hurt. If I can’t open the phone of the future with my face than it’s not actually, you know, the phone of the future.
“It all comes down to how good the facial recognition is,” noted Apple fan John Gruber wrote last week amidst rumors there would be no Touch ID on the iPhone X. “If it’s as fast, reliable, trustworthy, and convenient as Touch ID, then omitting Touch ID is a legitimate design choice. Forward progress on biometrics. If it’s worse than Touch ID in any meaningful way, it’s an inexcusable mistake.”
Gruber is absolutely right, but retiring the thumb print tech (it will likely appear in cheaper iPhones for the foreseeable future) to lean on rapidly maturing and potentially more secure technology feels like a very Apple move. The company isn’t always the first to arrive at a solution, but it usually does with the kind of aplomb that makes us wonder why we haven’t been using it for decades.