The problem-solving process requires two preliminary steps: explain and incubate.

The process of problem-solving is first to explain and explore the situation and objectives. We can ask questions and share information, but we can’t propose solutions. Then we require an incubation period for subconscious problem-solving during which we undertake some mundane activity. Then we cooperate on finding solutions.

Graeme Simsion – The Rosie Result

Security exists in a continuum. Something pretty obvious for the people in the industry, but which has to be stated more often since there are many parties claiming perfect security or, as in the case of Bloomberg, arguing that better security is just as useless as little security:

Security is not binary,  which is obvious if you give it even a moment’s thought. A locked door is more secure than an unlocked one. A door with two locks is more secure than one with a single lock. A locked door with a locked gate in front of it is more secure than one without a gate.
In the same way a door is more secure locked than unlocked, messaging of any sort is more secure encrypted than unencrypted. End-to-end encrypted messaging is more secure than encryption that is not end-to-end.

John Gruber – Bloomberg on cybersecurity

The Locard’s Exchange Principle – met in one of the best books I read recently:

NOT EVERYBODY KNOWS THIS – OR CARES PROBABLY – BUT THE FIRST LAW of forensic science is Locard’s Exchange Principle, and it says ‘Every contact between a perpetrator and a crime scene leaves a trace.’ As I stand in this room, surrounded by dozens of voices, I’m wondering if Professor Locard had ever encountered anything quite like Room 89 – everything touched by the killer is now in a bath full of acid, wiped clean or drenched in industrial antiseptic. I’m certain there’s not a cell or follicle of him left behind.

Terry Hayes – I Am Pilgrim

The efficiency gain of the electric vehicles is overwhelming. This time Bloomberg gets it right:

About 10 million barrels a day of oil demand – roughly what Saudi Arabia produces now – isn’t merely switched into another form of energy. It’s just gone. Such is the power of efficiency. EVs convert a far higher proportion of the energy from the socket to power their wheels than a conventional vehicle does. 
Thermal energy generates a lot of waste in the form of heat. Only about one in four or five of those gallons of gasoline you pump and pay for provide energy you actually use, and perhaps 60-70% of what statisticians call the world’s primary energy use is really just waste

Liam Denning – Electric vehicles are overwhelmingly more energy efficient

Convenience

In one of the most watched reviews of the iPhone X, Marques Brownlee was showing in a side-by-side comparison that the new FaceID is still slower than the TouchID, but it will eventually get better with software improvements. I think that in the most cases, FaceID is faster: by tapping the screen or pressing the power button to unlock your iPhone, you’re actually creating an extra step when you don’t need one. If you simply pick up the phone, then swiping up will already unlock it. Definitely faster than TouchID.
But what’s even more important, FaceID represents an important milestone in the history of biometric authentication: it’s for the first time when this process is done seamlessly, without even thinking about it. Even Brownlee admits that “facial recognition on a phone is closer to secure, seamless authentication than a separate fingerprint reader will ever be“.
After using FaceID to unlock my phone for more than two weeks I can feel that it works so well that it becomes easy to forget that the authentication actually happens. The closest to this feeling is the Apple Watch authentication model: once you put it on your hand and unlock it, it’s easy to forget that you’re authenticated (by keeping it tied to your hand) and you can receive notifications on it. The fact that the FaceID authentication is now tied to something that you’re doing with the phone anyway – that is, looking at it – makes the experience feel close to magic.

This experience can be technically described as ‘continuous authentication’: you no longer have to make a conscious gesture in order to authenticate (ex. type a PIN or put your finger on the TouchID); by simply looking at the phone you are already authenticated. Some examples:
– expand notifications and show the the control center on the lock screen
– apps using FaceID for authentication, like LastPass: after opening them, you’re already authenticated (without the need to type a password or put your finger).
– Safari browser auto-filling the passwords

Face ID is the most compelling advancement in security I have seen in a very long time. It’s game-changing not merely due to the raw technology, but also because of Apple’s design and implementation. […] The real Face ID revolution: since you’re almost always looking at your iPhone while you’re using it, Face ID enables what I call “continuous authentication.”
Rich Mogull: Face ID’s Innovation: Continuous Authentication

Security

I described above the convenience of using FaceID and how it slowly moves us to a new era where we no longer realize we’re using biometric authentication. But how secure is it?
Before we dive into the main security concerns, it’s worth noting that before TouchID (that is a mere 4 years ago), most of us did not use a passcode on our smartphones. “Before Touch ID, about half of our users had a passcode set. Now, 9 out of 10 do.” (WWDC June 2016). With the introduction of TouchID and now FaceID, the number of people enjoying the security benefits of using a passcode is much higher.

Here are the main concerns related to FaceID:

– accidental in-app buy or download; accidental use of Apple Pay: not possible, you have to double tap the power button to enable the FaceID in order to download an app or to make a purchase
– false positive rate (security concern) / false negative rate (convenience concern): according to Apple, both fare better than TouchID
– somebody clones your face: still possible, and a valid concern if you have a high profile. But FaceID is more secure than TouchID: fabricating a 3D mask is arguably more complicated than a 3D finger.
– law enforcement forces you to unlock your iPhone using your face: the security level here is the same as for Touch ID. If you are concerned about this aspect, then simply don’t use FaceID/TouchID and rely on a strong passcode instead. If you are a just a little bit concerned, then know that holding the power and one of the volume buttons together (‘squeeze’ your iPhone) will immediately require the passcode to unlock
– somebody unlocks your phone while you are asleep: you can enable ‘require attention’. But if you are concerned about this, you have bigger issues that the security on your smartphone 🙂
More about these concerns here: Face ID, Touch ID, No ID, PINs and Pragmatic Security

The only valid concern for me is the following: a thief steals your iPhone, makes you look at it to unlock, then runs away with the unlocked phone.
In this scenario, FaceID is actually worse than TouchID – because it requires no physical contact between you and the thief. The only solution for this is to ‘Find your iphone’ and remotely wipe it, but this can take time during which valuable data can be extracted from your stolen phone. A better solution would be to immediately lock the iPhone from your Apple Watch.

Conclusions

There is always a trade-off between security and convenience. Sometimes compromises need to be made: security requires pragmatism. But FaceID just proved how it can address the most security concerns while providing a seamless user experience. With time, software and hardware updates, it will get even better, and we will see FaceID on other computing devices like tablets or laptops.
And from there it’s easy to imagine a keyless future. How long until you unlock your car by looking at it? Or you unlock your house by simply approaching the door and disarm your house alarm system by stepping into the hallway?
FaceID is not only an important milestone for biometric authentication, but it has the potential to change the way we interact with technology forever.

The updated reading list from 28 November 2013:
✔ 1. Steve Krug – Don’t make me think —read, as well as the 3rd, revisited edition
⇓ 2. Dean Buonomano – Brain Bugs —saved for later
✖ 3. Andy Hunt – Pragmatic thinking and learning —read the first chapter, did not catch me. Maybe some other time
⇓ 4. Paco Underhill – Why We Buy —saved for later
⇓ 5. Barry Schwartz – The Paradox of Choice (Why more is less) —saved for later
✔ 6. Dale Carnegie – How to win friends and influence people —read, as well as a condensed version of it
✔ 7. Smashing book #4 —currently reading
✔ 8. George Orwell – 1984 —read, but did not found the positive state of mind to finish it
✔ 9. Dean Beaumont – The Expectant Dad’s handbook —read, this and two more 🙂

In the mean time I also read The speed reading book, Ronnie and rediscovered the pleasure of reading funny SF novels.

Next in my reading list:
1. Smashing book #4 – finish it
2. Dean Buonomano – Brain Bugs
3. Irwin Schiff and Peter Schiff – How an economy grows and why it crashes
4. Bill Shankly – My Story
5. Steve Peters – The chimp paradox
6. Paco Underhill – Why We Buy
7. Barry Schwartz – The Paradox of Choice (Why more is less)
8. Steve Souders – Even Faster Web Sites: Performance Best Practices for Web Developers
9. Whatever I find interesting from the Smashing library 🙂