FaceID: convenience and security

Written on 18 November 2017, 11:53pm

Tagged with: , , ,

Convenience

In one of the most watched reviews of the iPhone X, Marques Brownlee was showing in a side-by-side comparison that the new FaceID is still slower than the TouchID, but it will eventually get better with software improvements. I think that in the most cases, FaceID is faster: by tapping the screen or pressing the power button a to unlock your iPhone, you’re actually creating an extra step when you don’t need one. If you simply pick up the phone, then swiping up will already unlock it. Definitely faster than TouchID.
But what’s even more important, FaceID represents an important milestone in the history of biometric authentication: it’s for the first time when this process is done seamlessly, without evening thinking about it. Even Brownlee admits that “facial recognition on a phone is closer to secure, seamless authentication than a separate fingerprint reader will ever be“.
After using FaceID to unlock my phone for more than two weeks I can feel that it works so well that it becomes easy to forget that the authentication actually happens. The closest to this feeling is the Apple Watch authentication mechanism: once you put it on your hand and unlock it, it’s easy to forget that you’re authenticated (by keeping it tied to your hand) and you can receive notifications on it. The fact that the FaceID authentication is now tied to something that you’re doing with the phone anyway – that is, looking at it – makes the experience feel close to magic.

This experience can be technically described as ‘continuous authentication’: you no longer have to make a conscious gesture in order to authenticate (ex type a PIN or put your finger on the TouchID); by the simple fact of looking at the phone you are already authenticated. Some examples:
– expand notifications and show the the control center on the lock screen
– apps using FaceID for authentication, like LastPass: after opening them, you’re already authenticated (without the need to type a password or put your finger).
– Safari browser auto-filling the passwords

Face ID is the most compelling advancement in security I have seen in a very long time. It’s game-changing not merely due to the raw technology, but also because of Apple’s design and implementation. […] The real Face ID revolution: since you’re almost always looking at your iPhone while you’re using it, Face ID enables what I call “continuous authentication.”
Rich Mogull: Face ID’s Innovation: Continuous Authentication

Security

I described above the convenience of using FaceID and how it slowly moves us to a new era where we no longer realize we’re using biometric authentication. But how secure is it?
Before we dive into the main security concerns, it’s worth noting that before TouchID (that is a mere 4 years ago), most of us did not use a passcode on our smartphones. “Before Touch ID, about half of our users had a passcode set. Now, 9 out of 10 do.” (WWDC June 2016). With the introduction of TouchID and now FaceID, the number of people that enjoy the security benefits of using a passcode is much higher.

Here are the main concerns related to FaceID:

– accidental in-app buy or download; accidental use of Apple Pay: not possible, you have to double tap the power button enable the FaceID in order to download and app or make a purchase
– false positive rate (security concern) / false negative rate (convenience concern): both fare better than TouchID
– somebody clones your face: still possible, and a valid concern if you have a high profile. But FaceID is more secure than TouchID: fabricating a 3D mask is arguably more complicated than a 3D finger.
– law enforcement forces you to unlock your iPhone using your face: the security level here is the same as for Touch ID. If you are concerned about this aspect, then simply don’t use FaceID/TouchID and rely on a strong passcode instead. If you are a just a little bit concerned, then know that by simply holding the power and one of the volume buttons together (‘squeeze’ your iPhone) will immediately require the passcode to unlock
– somebody unlocks your phone while you are asleep: you can enable ‘require attention’. But if you are concerned about this, you have bigger issues that the security on your smartphone 🙂
More about these concerns here: Face ID, Touch ID, No ID, PINs and Pragmatic Security

The only valid concern for me is the following: a thief steals your iPhone, makes you look at it to unlock, then runs away with the unlocked phone.
In this scenario, FaceID is actually worse than TouchID – because it requires no physical contact between you and the thief. The only solution for this is to ‘Find your iphone’ and remotely wipe it, but this can take time during which valuable data can be extracted from your stolen phone. A better solution would be to immediately lock the iPhone from your Watch.

Conclusions

There is always a trade-off between security and convenience. Sometimes compromises need to be made: security requires pragmatism. But FaceID just proved how it can address the most security concerns while providing a seamless user experience. With time, software and hardware updates, it will get even better.
Looking even further away into the future: how long will it take until we can use it to unlock other computing devices (laptops, TVs, cars, alarm systems, security doors)? How long until you unlock your car by looking at it? Or you unlock your house by simply approaching the door and disarm your house alarm system by stepping into the hallway?
FaceID is not only an important milestone for biometric authentication, but it has the potential to change the way we interact with technology forever.

Football analytics: when football meets science

Written on 12 November 2017, 09:51pm

Tagged with: , , ,

I wrote a piece about football analytics in Romanian: when football meets science. It was one of the articles I really enjoyed writing and it took me over 10 evenings to do it.

Here are the top level details:

Football analytics is all about using data about previous events in order to have an indication about the outcome of future events.
It is not new: it started somewhere in the ’50 and one of the first coaches to use it was a Russian trainer called Valeri Lobanovsky, in an era where a computer was taking up rooms.
I found a correlation about the DIKW pyramid and the usage of football data:
– Data – numbers and metadata collected using manual operators, tracking devices or video tools
– Information – when data is put into context. One indicator that recently became mainstream is the ‘expected goal‘ (xG) – a percentage associated with every shot based on previously aggregated data
– Knowledge – when information is combined with previous experience. Example – aggregating information about indicators like xG (xG for, xG against, non-shot xG, xG difference)
– Wisdom – using previous levels to take strategic decision enabling competitive advantage.

The first two levels are for the football fans, media writers and TV pundits.
The last two levels are for the professional football clubs and for the betting companies. This is where the football analytics takes places and these levels can give indication about future events.

A few examples of football analytics:
1. transfers: before any transfer, the targeted player is analysed from a few perspectives: tactical, physical, technical. The modern clubs are using players databases with custom criteria in order to maximize their match rate.
2. injury prevention: by tracking the way a player runs and measuring how long his feet stays on the ground, one can evaluate the player tiredness
3. predicting outcome of future events by calculating and maintaining a club index (ex. fivethirtyeight.com)
4. penalty shoot-out: statistics showed that the team shooting first has a 20% advantage over the second team. The football governing bodies realized this un-fair advantage and recently changed the order of the shoot-out (now ABBA instead of ABAB)

In the end, football remains a random sport. Using analytics can give indications, and make the clubs better understand some questions, but it cannot (yet) give definite answers. As long as football is played by humans, the human factor will play its part and will keep football random and enjoyable.


The graphics on Fifa 16 are something else

The anaerobic threshold and training

Written on 4 November 2017, 11:52pm

Tagged with: ,

This is a continuation of this post about aerobic (low intensity) vs anaerobic (high intensity) training.
A quick review of the two types of activities:
Aerobic: the energy is created by burning fat and carbs. This produces CO2 and water (breathing and sweating).
Anaerobic: to keep up with the additional energy requirements, the body burns sugar supplies (glycogen) in addition to the carbs and fat. This produces lactic acid (in addition to CO2 and water), and when this acid is produced faster than it can be metabolized, the muscle pain appears.

The anaerobic threshold (AT) is the point where the aerobic system can no longer keep up with the energy requirements. After this threshold, the anaerobic metabolism kicks in. Because of the lactic acid production, the AT is also known as lactate threshold.

The fitter you are, the longer you can fuel your body with the aerobic system before the anaerobic system needs to take over.
Interval workouts are effective for raising the AT. For the best results, vary your workouts between aerobic work (where duration takes priority over high intensity), and higher-intensity intervals (where you will be just under or at your Maximum Heart Rate).
http://www.concept2.com/indoor-rowers/training/tips-and-general-info/anaerobic-threshold

The AT is generally linked with the heart rate.
A quick estimation of your AT is 85% of the maximum heart rate (MHR). The MHR can be in turn estimated to 220 - age. So for a 36 year old person, the MHR=184, and the AT is 157bpm. Basically this tells that once this hearth rate is reached by a 36 year old, his body switches to anaerobic metabolism.

In order to push the AT, you can either:
– do HIIT (high intensity interval training), where you alternate low intensity with high intensity intervals (aerobic vs anaerobic)
– or do ATT (anaerobic threshold training), where you train just around the AT value.

Again, these types of training are generally linked with the hearth rate. A widely used concept is the training hearth rate (THR) (some gym machines also refer to the target heart rate).
In determining the THR, the following indicators are being used:
– the resting hearth rate – RHR. It can be determined with a heart rate monitor or Apple watch right after you wake up.
– the maximum hearth rate – MHR. It can be either measured with an ECG in a controlled environment, or estimated as 220-age (other formulas exists).
– the heart rate reserve – HRR defined as MHR minus RHR

Using the indicators above, each type of training can be associated with a certain THR range:
– the aerobic training (low intensity), 50–75% HRR + RHR
– the AT training, 80–85% HRR + RHR
– the anaerobic training (high intensity), 85-95% HRR + RHR

If RHR=52, MHR=184, HRR = 132 and age=36, then
– THR range for low intensity training: 118-151 bpm
– THR range for AT training: 158-164 bpm
– THR range for high intensity training: 165-177bpm


Image: sportograf.com