I’m making this entry after reporting the bug to Microsoft Security and getting ignored. I guess, that gives me the freedom to alert consumers not to use Microsoft Ads on their iPhone or at least to be aware of the potential risk if they enable Face ID and expect it to work.

Update: I’ve tested this problem in Android using my fingerprint and it doesn’t happen, it is as you would expect, it asks you for a password.

Update 2: The problem is gone, good job Microsoft, I don’t know when but as Jul 11 2021 the problems is gone.

When you are in a highly competitive environment, having a decent SEO may not be enough. You have a lot of business doing the same as you do, hiring SEO experts, using resources to get backlinks and referrals, running offers, and many different strategies to position higher than the rest.

For the people that don’t know how ads work, you select a budget, and based on your preferences, keywords, etc. a bidding process happens. Meaning that depending on the competency, a single click to your ad, that may not translate to a real customer, can cost you 2 or 3 dollars. Yes, a click can cost you that.

As everyone is on Google, businesses tend to use other platforms as well, just to reduce their advertisement cost. In my experience, the one that drives by far more traffic to my site is Microsoft Ads. The bids in my area are not that high and you get exposure not only on bing but on yahoo and partner sides. This makes Microsoft Ads a strong option if you are looking for a PPC (pay per click) solution to attract possible clients.

Microsft Ads app on iPhone has the option to enable Face ID, but their use makes no sense, and you should be aware that it doesn’t work as you may expect. Let me explain why and why Microsoft should change this.

Any decent implementation of Face ID, when fails, doesn’t allow you to continue with the process, meaning that if you fail to authenticate with your face, it either fails or may ask you for the phone PIN to continue. If you have enabled Face ID, it doesn’t continue. This happens in 100% of the apps I’ve used on the iPhone.

What do Microsoft Ads do? Nothing, if you fail your Face ID, and you had configured your email account previously, it will go through, it keeps using any internal token/cookie they use for the authentication. Wasting your time, you just could let me go through when I open the app if there is an email configured because the Face ID does nothing.

Let me show it to you.

Step 1 configure your Microsoft Ads account

Login to your account

This is my dashboard

Step 2 enable Face ID

This is the Settings screen, I have enabled Face ID.

Step 3 close the app, open it and trigger a failure on the Face ID check

I promise I just want to fail

Yeah!!

Step 4, hit cancel

Wait. Log in screen, I guess that I can’t log in even if click next right?

Well, no, the app stores your credentials, so even if you have enabled authentication via Face ID, failing it and clicking Next on the login screen will let you go through without requiring your account credentials.

How do other apps do?

• If Face ID works, you can use the Oauth/token/cookie/magic wand the application uses to access your account.

• If Face ID fails, you can either retry it, use the phone PIN or here comes the big difference, re-enter your credentials.

Why is this a risk?

As an iPhone user for the last, I don’t know, 9 years, Face ID was a welcomed security feature. It saves a lot of time, especially on applications that need a password, or adds an extra security layer on the applications that saves your password.

So far, in 100% of the apps, you make that compromise, when you enable Face ID, you ditch the password option (or the local cookie) out, for a similar feature that will only use such cookies/tokens when you are the one in front of the phone.

It is vital on applications that may affect any budget, business or has personal information. In the case of Microsoft Ads is pretty much all those 3. The phone app is quite limited compared with the web page, and thanks Cthulhu for it.