As smartphones begin using scanned IDs, skeptics cite glitches, misuse and a growing surveillance culture
Ashton Hickey appreciates some of the advanced features on her iPhone 8, like wireless charging and a camera that shoots high-definition 4K video.
But there's one she refuses to use: the fingerprint sensor that lets people access their phones with a single touch. Instead, she continually enters her six-digit passcode.
"I can handle typing that in," said Hickey, a freelance locations coordinator for movies and television shows. And she wouldn't ever consider the facial recognition on the latest iPhones. "Like more and more tech, it's [something] potentially nefarious, disguised as a way to make our life easier."
Hickey is one of a small but passionate group of smartphone owners resisting the recent wave of biometric security features, such as Apple's facial recognition technology and Samsung's iris and facial scans. Instead, they're sticking with passcodes or unlock patterns to access their smartphones even as companies push biometrics as key selling points on the newest thousand-dollar devices.
Avoiding commercial biometric security could be an increasingly difficult feat in the future. Smartphone makers are sticking with the tech and say it is faster and safer to use than a passcode alone. Facial recognition as an ID is already being offered to consumers outside of phones, including at airport check-ins, sports stadiums and concerts.
Computer science experts who study biometrics predict there will only be more options in the coming years, such as voice or heart-rate detection, signature authentication and even devices that can tell who you are by the way you walk. The Pentagon is already working on tools for gait and heartbeat identification.
But the passcode holdouts say they are worried about people gaining access to their phones through faulty fingerprint or face-detection tools. They fret about the security of their sensitive biometric data, which they fear could fall into the wrong hands. Some say they are concerned about law enforcement access, the trustworthiness of tech companies or normalizing a growing surveillance culture.
"I only have one face and 10 fingers, so my tolerance for theft of that data is extremely low," said Steve Schott, who works in manufacturing in Colorado. A Galaxy S9+ owner, Schott says he has never used the phone's biometric options, which include an iris scan, face recognition and fingerprint sensor. He says he doesn't know where the biometric information goes and who has access to it.
Some recent high-profile blunders by smartphone makers may have contributed to one of the common security fears passcode loyalists have: that it is easy to trick a biometric scanner.
Last month, Google admittedthat its new Pixel 4 smartphone was shipped with a face-detection feature that would unlock the phone even when a person's eyes were closed - meaning it might work if they were asleep or even dead. Meanwhile, Samsung's Galaxy S10 ultrasonic fingerprint sensors could be tricked with a protective third-party silicon screen cover, opening the phone for anyone with a finger.
In response, Google said it is working on a software update for Pixel 4 phones that will add an option for eye-open unlocking only. Samsung recently released a software update for the Galaxy S10 and other recent devices that it says will address the fingerprint issue.
Those bugs aside, biometrics on phones are considered hard to fool. The odds of guessing a four-digit passcode are 1 in 10,000, and tools have been used to crack iPhone codes in the past. Apple says the chances of someone having a similar enough fingerprint to unlock a person's phone is 1 in 50,000, and a similar enough random face tricking Face ID is 1 in 1,000,000. That doesn't take into account other ways of duping biometric features, like what happened with Samsung's fingerprint sensor.
Security experts agree that it's safer overall to use biometrics, and ideally a combination of the two. (Even with a biometric authentication, most smartphones still require a passcode or pattern in some situations, such as when it is first turned on.) According to Kevin Bowyer, a professor of computer science and engineering at the University of Notre Dame, biometric security is improving faster than password technology.
"Biometrics have problems," said Andy Adler, a professor of systems and computer engineering at Canada's Carleton University who specializes in biometrics. "Overall, my opinion is it's still better than what it's replacing."
Many concerns about using biometric security stem from confusion about how and where the information is stored. It's easy to change a password, but what happens when a fingerprint is stolen?
Apple, Samsung and Google don't actually keep copies of fingerprints or people's faces on their servers. For example, Apple turns face and finger scans into mathematical representations of the features, encrypts the information and stores it all on the actual devices. Both Google and Samsung also store encrypted biometric information on the devices.
Popular smartphones may be secure, but consumers are wary about extending that faith to other companies. As biometrics pop up in more locations, smaller or less reputable services will gather similar information with different levels of security. Earlier this year, fingerprints for more than a million people were found on a publicly accessible database, according to the Guardian.
People worried about biometrics are struggling with trust in the entire tech industry. The majority of adults in the United States trust tech companies to "do what is right" only some of the time, according to a 2018 Pew survey, compared with 25 percent who trusted them most of the time and 14 percent who hardly ever trusted them.
"I don't like the idea of a phone company having any of my biometric data," said Craig Craker, a writer from Idaho. "I'm sure all of that is irrational and that the phone companies already know everything about me, but I like being stuck in the past with some things."
There's no current statistic on how many passcode-only people there are, but in 2016 Apple said that 89 percent of people with compatible iPhones were using fingerprints to unlock their devices. In a 2018 survey of 4,000 adults by IBM, only 67 percent of people said they were comfortable with biometrics, but 87 percent said they would probably be comfortable using them in the future.
Using a passcode - especially if it's longer, as recommended by security experts - takes time and effort. Biometrics become harder to resist when considering how often you have to enter a code - in 2016, Apple said iPhone users were unlocking their devices 80 times a day on average. (The company did not share more recent stats on how often phones are unlocked.)
That's time Kerry Frost, a mother of two, now has to put in. Early one morning, her 10-year-old son wanted to download an update for the video game Fortnite while she was still asleep, but he was stymied by parental controls on her Android phone. He sneaked into his mom's room, pressed her finger on her phone to unlock it, then turned on WiFi for his own device.
"I guess he went on to play Fortnite, but I had no idea anything happened until the next day," said Frost, who now uses a passcode to lock her phone.
And then there's the complicated issue of law enforcement. Many people sticking with passcodes are worried about being compelled to unlock their phone by the police. According to Brett Max Kaufman, a senior staff attorney at the American Civil Liberties Union, current rules around whether law enforcement and the government can compel a person to unlock their phone with passcodes or biometrics are still up in the air. And most phones will default to passcodes after a set time of not being unlocked. However, if it is a real concern, skipping biometrics can be advantageous, says Kaufman.
There's a danger in getting too comfortable with using faces for ID, said Evan Greer, deputy director of Fight for the Future, a nonprofit internet advocacy group. Face detection is showing up everywhere from airports to sport arenas as a way to confirm a person's identity, but also in ways people may not consent to, like through security cameras or online services. People used to it on their phones could be more likely to accept it in other places, even in tools created by companies with looser security and privacy policies.
"In the end, you have to decide who to trust," said Greer. "With a passcode you're really trusting more or less yourself, where with a face scan you're putting trust in a company with your biometrics."