The Truth About Face ID

How secure is Face ID, really? Is it as secure as Apple claimed it is? YouTubers and journalists have been scrutinising Face ID at every turn, and rightfully so! Why should anyone just willingly trust a new biometrics system?

Sadly, what was originally born out of uncertainty and skepticism has devolved quickly into journalists and YouTubers simply wanting to see the product fail. At any minor chance that Face ID has failed, YouTubers and journalists pounce on it.

Let’s take a brief look at Face ID in the news…

The Infamous Face ID Demo

It all started at Apple’s September keynote. Craig Federighi is on stage, excited to show us the first demo of iPhone X. The first thing Craig attempts to show us is Face ID. He lifts the phone, and “ho-ho-ho”, it seemingly didn’t work.

Did Face ID actually fail? Craig Federighi clarified what happened in episode 200 of The Talk Show by John Gruber. Essentially, what happened is that other staff members had unintentionally triggered Face ID when setting up the demonstration table, resulting in too many failed authentication attempts, temporarily disabling Face ID. Credence can be added to this when you simply watch the keynote back. Craig’s iPhone X displayed “your password is required to enable Face ID”.

No, Face ID didn’t fail. In fact, Face ID was working exactly how it was programmed to. Furthermore, Touch ID works the same way! If you haven’t authenticated your iPhone X within 48-hours, Face ID will require you to enter your passcode. Likewise, Face ID will also disable itself if there have been too many failed attempts at unlocking the device — just like Touch ID. This is a security feature that prevents adversaries brute forcing their way into a victim’s iPhone.

Unfortunately, people want to see this product fail. YouTubers jumped on the bandwagon. In one video, the host went on to hypothesise that the unlock feature may have “failed” due to sweat on Craig’s face. This merely adds fuel to the skepticism people have/had about Face ID. The host also suggested that you always have to hold iPhone X unnaturally up to your face for Face ID to unlock, which is simply not true.

My point is that the video was delivered in a way that reinforces this fear surrounding Face ID; it was almost conspiracy-like, as if Apple are knowingly trying to sell us an inferior system. The truth is all biometrics systems have some trade-offs.

Troubles with Twins

Then came the twins videos. YouTubers would get twins together to break Face ID. Some of these videos were cool, and it makes perfect sense too. Apple even stated during the keynote that one of the trade-offs with Face ID is that close relatives, especially twins, have a higher likelihood of fooling Face ID. Surprisingly, in one of these videos, iPhone X actually wasn’t bypassed by an identical twin — well, not until the twin entered the passcode.

One of Face ID’s strong points is its ability to adapt to a face over time. If you start growing facial hair, Face ID will adapt to it. Every time you successfully unlock your device, be it by passcode or Face ID, your face will be scanned and Face ID will learn and adapt to your changes. More specifically, if the scan of your face is mathematically similar to the enrolled face — if it reaches a threshold of similarity — it will learn and adapt to the latest scan.

So, originally when Face ID failed to authenticate the second twin, they proceeded to enter the iPhone’s passcode. The identical twin naturally looked very similar to their sibling, and so it could be possible that Face ID reached that threshold of similarity. From there on, Face ID would now recognise the twin.

The takeaway from this is that, given the visual similarity of the twins, it was actually impressive that the second twin was not able to fool Face ID on their first try. Face ID seemingly had to learn their face first through its adaptive algorithm.

Face ID Hacked with 3D Mask?

The latest headline is that Bkav Corp security researchers have “wrecked”, “tricked”, “broken” and “hacked” Face ID. From the headlines, you’d think that your original skepticism was right - Face ID is weak, insecure and a terrible idea. It sounds like the whole system has been utterly defeated and it didn’t even take two weeks!

Again, people want to see this product fail.

Based on the video, Bkav Corp may indeed have fooled Face ID, but they aren’t giving enough information to actually prove it.

What we see in the video is a researcher successfully unlocking their iPhone X using their face. They then lock the device and point it directly at a 3D mask of themselves, and voila Face ID unlocks.

If only tech YouTubers and journalists applied the same level of skepticism to these headlines as they do to Face ID itself.

Firstly, the video showed Face ID approving two different faces — the human face, and the mask. Does this sound familiar? It very well could be the case that Face ID learnt the mask as a valid face as the researchers were testing it out. The proper way Bkav Corp should and could have proven this not to be the case is by showing the initial Face ID setup, the Face ID approval of the human, and then the approval of the mask. We’re missing way too much data here to make anything of this video. Alas, that won’t stop YouTubers and journalists from jumping on the bandwagon. Though, credit to Ars Technica!

Secondly, let’s suppose that the mask did truthfully fool Face ID; what are the ramifications of this? How does this compare to Touch ID?

In both cases, the adversary would have to obtain the victim’s iPhone. Now, remember in order to fool Face ID, iPhone must be unlocked within 48-hours before requiring a passcode to re-enable itself. The adversary now has a hard time limit to 3D print a mask of the victim and obtain pictures to glue onto the mask. Furthermore, in order to print a 3D mask, the adversary needs a decent 3D model of the victim’s face… I can’t help but be reminded of this XKCD comic.

That said, I think generally speaking it’s still easier to lift a fingerprint from a device than to obtain a 3D mapping of someone’s face. Admittedly, in the case of a targeted attack, this could still spell trouble for the victim — but I again go back to that XKCD comic.

Lastly, the researchers stated that Face ID isn’t as secure as Apple claimed. This is simply false. During the Apple keynote, Phil Schiller spoke about how Apple’s engineers have trained Face ID to recognise Hollywood-style masks and recognise them as fake. Apple never claimed anything more than built-in resistance to mask-based attacks.

Double Standards

As a brief aside, I also feel it’s worth mentioning how YouTubers in particular have responded to this.

I truly wish tech YouTubers would hold other companies to the same standards they expect from Apple. For example, Samsung’s “facial recognition” can be fooled by a photo, it doesn’t work in the dark, and the iris scanning requires you to hold the phone unnaturally in front of your face. Essentially, all of the fears people had for Apple’s Face ID exist in Samsung’s flagship phones. Why isn’t there more outrage? Why don’t people demand better from Samsung? Nobody seems as surprised when Samsung doesn’t live up to the hype. In this case, Apple has lived up to their promises and gets trashed by the tech community.

When companies sell phones in the price range of Apple’s iPhone, they should be held to the same quality expectations.

Closing Thoughts

Face ID hasn’t been destroyed, it’s alive and well. Apple have lived up to their claims regarding Face ID’s security. Face ID is still a solid 20-times better than Touch ID in terms of average false-positives. The level of sophistication to bypass Face ID with a mask (if claims are true) is significant and not something the average person should worry about.

That said, no biometric system is perfect. If you have an evil twin, Face ID could very well be a drawback for you.

Finally, keep the true skepticism alive. Not for the sake of wanting a product to fail, but for the sake of wanting products to succeed and surpass your wildest expectations.