Apple’s iPhone X brought with it Face ID, the replacement for Touch ID that uses a TrueDepth camera to take a 3D image of a user’s face and match it against a scan taken during setup.
Apple claims that the technology is secure enough to not be fooled even by masks, making it less susceptible to unauthorized access than competing facial recognition offerings. Nothing is perfect, though, and Vietnamese research team Bkav claims to have found a way to trick Face ID using a mask that makes use of 2D images and a hand-sculptured nose.
Bkav’s method is said to use consumer 3D printing techniques and good old-fashioned 3D printing to create a mask that, once covered with a custom skin surface, can apparently fool Face ID for a total outlay of $150. Oddly, Bkav has not shared its findings with Apple directly, something security researchers would normally do. Importantly, Apple’s breakdown of how Face ID works does not claim it to be 100% secure, merely that it is more difficult for someone to unlock an iPhone without being the person authenticated by Face ID. Apple though does claim Face ID to be at least two times more secure than Touch ID.
Face ID matches against depth information, which isn’t found in print or 2D digital photographs. It’s designed to protect against spoofing by masks or other techniques through the use of sophisticated anti-spoofing neural networks. Face ID is even attention-aware. It recognizes if your eyes are open and looking towards the device. This makes it more difficult for someone to unlock your iPhone without your knowledge (such as when you are sleeping).
It’s important to note that when Touch ID first came into limelight, similar videos for it were released too claiming to bypass the tech with dummy fingers. As for Passcodes, we all know that there are tools present which can, at least theoretically, bypass them.
Even though Bkav has released a video showing their mask fooling Face ID, the video itself could easily be faked by a number of methods, not least by simply setting Face ID up with the mask in place. Even if this is legitimate though, the barrier of entry is certainly high and complicated enough that this is not something people are going to do just to see who you have been calling or sending photos to.
As far as more important security matters go though, this is another reminder that there is no such thing as a 100% secure system – assuming the video is not fake, of course.