
FaceID Security [pdf] - MBCook
https://images.apple.com/business/docs/FaceID_Security_Guide.pdf
======
fpgaminer
I'll bet most people who dismiss TouchID and FaceID as useless because they're
"usernames" and not "passwords", have a bog standard lock and key on their
house.

Funny thing about those house keys. They can be stolen, lost, or duplicated
from pictures. But TouchID and FaceID have liveness tests to prevent
forgeries, your biometrics can't be easily stolen, and you can't lose them.

A house key is called a "key" though, so it must be a password, and thus must
be secure! And biometrics are just usernames, so they're useless and insecure!

Sarcasm aside, my point is this. Even with the worst biometrics, your phone
would be more secure than 99% of houses. And I don't see people complaining
about the state of home security...

Ultimately, these username vs. password analogies are shallow understandings
of security, and at best flawed.

Biometrics, passwords, house keys, secure dongles, etc. Those are _all_ keys.
What they differ in is how reproducible they are, how easily they're lost, and
how easily they're bypassed.

For example: Biometrics, when measured by devices with sufficient liveness
tests, are robust against forgeries. That means they can't be stolen. This is
in contrast to passwords and pincodes, which can be stolen by eyeballs,
cameras, audio recording devices, etc. You can use FaceID or TouchID to unlock
your phone in front of all the recording devices in the world, and yet still
your biometric key won't be stolen.

See how that example comparison is far more interesting and enlightening than
"biometrics are usernames, so they're pointless"?

* Of course, when I refer to household locks and keys, I mean your average household lock. There are, of course, premium locks with keys that can't be reproduced. But most houses have locks that you can sneeze on and open.

~~~
sorenjan
If I lose my house key I can change the locks and make the old key worthless.
How do you change biometric keys once they're compromised?

~~~
c22
It sounds like fpgaminer's argument is that biometric keys can't be
compromised because of "liveness tests". An argument against would have to
rebut this assumption.

My gut instinct tells me that this assumption is absurd, but I lack the
specific knowledge of these systems to prove it.

~~~
chimeracoder
> It sounds like fpgaminer's argument is that biometric keys can't be
> compromised because of "liveness tests".

You're arrested, and the cops hold the phone up to your face to unlock it.
That's a pretty big compromise, and there's literally _nothing_ you can do to
prevent it.

~~~
coldtea
The same holds true for physical keys.

If you're arrested then the cops can tie you, grab the keys and unlock your
door "and there's literally nothing you can do to prevent it.".

Also some guy can just make a copy your key (pretty trivial) -- heck people
can even break your door bypassing the key altogether.

~~~
tuxxy
Yes, but the police have to get warrants. If they fail to get a warrant, then
it's inadmissable in court.

In the phone case, they don't need a warrant if your authentication method is
literally your face.

~~~
GeekyBear
In the United States, the Supreme Court does not allow warrantless cell phone
searches.

[https://en.wikipedia.org/wiki/Riley_v._California](https://en.wikipedia.org/wiki/Riley_v._California)

~~~
kobeya
The police holds up the phone, pointing towards the suspect:

Detective: "Is this yours?"

_Suspect glances in the direction indicated, phone unlocks._

Detective: "Nevermind, I got it from here."

\-----

At least TouchID required physical assault to get you to unlock the phone.
FaceID on the other hand can be defeated with perfectly legal attention
grabbing techniques.

~~~
GeekyBear
This doesn't seem to be a valid argument when discussing the police in the
United States.

Without a warrant: No information taken from your phone by the police is
admissible.

With a warrant: A judge can compel you to unlock any device with a biometric
lock, regardless of what sort of biometric lock we are discussing.
Fingerprint, iris scan, or face, it simply does not matter.

~~~
kobeya
Warrants aren’t always required. Also, lack of a warrant just means the direct
evidence they gather won’t be admissible, but it might lead them to new
evidence. Also, it’s not just the police one needs worry about.

~~~
GeekyBear
Even if an illegal search of your phone led to new evidence, in the US that
new evidence would fall under a legal doctrine known as "fruit of a poisonous
tree".

Fruit of the poisonous tree is a legal metaphor in the United States used to
describe evidence that is obtained illegally.

For example, if a police officer conducted an unconstitutional search of a
home and obtained a key to a train station locker, and evidence of a crime
came from the locker, that evidence would most likely be excluded under the
fruit of the poisonous tree legal doctrine.

[https://en.wikipedia.org/wiki/Fruit_of_the_poisonous_tree](https://en.wikipedia.org/wiki/Fruit_of_the_poisonous_tree)

Border agents operate under a different set of rules and have been searching
mobile devices without a warrant or even probable cause.

However the ACLU and EFF have filed a new lawsuit challenging this behavior,
now that the Supreme Court has ruled that the police cannot conduct
warrantless searches of cell phones inside the US.

~~~
kobeya
“Parallel construction”

------
athenot
I still wish it had an "unlock under duress" mode, where you could
authenticate with a subtle difference (different gaze, alternate passcode,
etc). The phone would unlock itself but then signal back to the mothership,
cloud services and even apps that it's in "duress mode". Display in that mode
should look totally normal, just some of the information missing (e.g.
emails/messages/contacts from certain groups of contacts flagged as "withhold
from duress mode"). This could help mitigate physical danger while preseving
some of our critical information.

It's akin to having multiple wallets when visiting high-theft areas. Get held
up by an armed thief and give them the cash in the visible wallet, while
holding back what's hidden in another location.

~~~
giarc
That sounds like a cool feature, but probably applicable to 0.0001% of the
population. Think of all the work app developers would need to do to make
their app "duress compatible" in the very rare chance someone is being held at
gunpoint and the person is asking to see their emails.

~~~
surfmike
If the phone allowed multiple users that might be one way to do it. Just log
in to another user.

~~~
mtgx
Yes, allow the users to create multiple accounts and also allow them to
encrypt and hide those other accounts.

This should also be available to fingerprint readers, as the suggest "gesture"
would be even easier: just use a different fingerprint (you can set the
fingerprint that everyone expects you to use as the "other fingerprint", and
use some other fingerprint as your default one).

It should also work with passwords, etc.

------
MBCook
Good document, but I was really hoping they’d go deeper into how they tested
some of the fraud detection stuff (masks, etc) or give us some statistics on
the twin/family member issue.

~~~
netsharc
It mentions infrared picture. Masks probably have a different infrared
signature.

But so does your face if it's been wearing a balaclava in the cold (some parts
will be cold and some will be warm...

~~~
The_Double
Just guessing here, but veins and blood flow are visible in infra red [1]. A
color camera can also measure pulse using small color variations.

[1] [https://software.intel.com/en-us/articles/pulse-detection-
wi...](https://software.intel.com/en-us/articles/pulse-detection-with-intel-
realsense-technology)

~~~
MBCook
Apple wants this to work in total darkness. So color wouldn’t work. Do we know
if they’re projecting IR light (besides the dot pattern) that they could use
to look for blood vessels?

~~~
billyhoffman
Yes. The iPhone X has something literally called the "Flood illuminator" which
projects IR light. This is one of the many reasons FaceID is not reactively
available to previous iPhones via a software update.

> The flood illuminator produces infrared (IR) light, part of the
> electromagnetic spectrum that's invisible to the naked eye, to illuminate
> your face;

[https://www.forbes.com/sites/jvchamary/2017/09/16/how-
face-i...](https://www.forbes.com/sites/jvchamary/2017/09/16/how-face-id-
works-apple-iphone-x/)

~~~
MBCook
Oh you’re right, I somehow missed that. Well that makes things more
interesting doesn’t it.

I guess that leads back to my question (in another comment) about whether or
not face paint would effect it.

------
FilterSweep
Questions:

* Does one explicitly set up their FaceID with the option to skip, like how TouchID works currently? I see (when...enabled) verbiage, which is a good sign.

* "The probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID)" If you have a face that causes most people you meet to say "oh, you look like X, Y, or Z", is this probability reduced? Other comments noted Twins. This isn't meant to be humorous or tongue-and-cheek, there could be a precedent that people of certain appearances are easily spoofed.

* "To avoid a user having to reenroll to Face ID when these neural network changes are made, iPhone X will be able to automatically run stored enrollment images through the updated neural network."

I guess a layperson would see the words "automatically" and relax, but this
leaves more to be desired in explaining the "Secure Enclave" to me. The Name
"Secure Enclave" almost sounded like remote storage until I read that the data
never leaves the device.

Thanks for the downvotes for questions!

[0]
[http://www.pnas.org/content/102/35/12629.full](http://www.pnas.org/content/102/35/12629.full)

~~~
rb808
Would be cool/weird if you could find out who they were and have a meetup.

~~~
FilterSweep
I've met a few. Paths have moved on but it would have been cool to see if they
could try unlocking my phone if this came out during my tenure in college.

------
eridius
> _The probability of a false match is different for twins and siblings that
> look like you as well as among children under the age of 13, because their
> Face ID Security September 2017 2 distinct facial features may not have
> fully developed. If you 're concerned about this, we recommend using a
> passcode to authenticate._

I was really hoping they'd provide the probability for identical twins, but
maybe they don't have enough data to give a specific number on this (I assume
most of their data comes from people without identical twins).

~~~
thefalcon
I believe the probability for identical twins is 1 in 1; they mentioned in the
keynote that some people will have to stick with passcodes, including those
with "evil twins". (Presumably if you trust your identical twin to not be
evil, you don't care if they're able to unlock your phone.)

~~~
eridius
Identical twins aren't identical down to every last detail. What I'm curious
about is if Face ID can pick up on any details that are different that humans
wouldn't notice.

Also regarding the "evil twin" thing, evil twins came from another dimension
so, aside from the goatee, they really were literally identical down to every
last detail. It's unclear to me if that joke was meant as "your identical twin
will be able to unlock your phone, so hopefully they aren't evil", or was just
meant as "someone who looks like you might be able to unlock your phone".
Probably a bit of both. But this is why I want to know what the actual
probability is that an identical twin can unlock the phone. Maybe it really is
1 : 1, but maybe it's not.

~~~
jagger27
Assuming the hardware isn't being pushed to the accuracy limit for the sake of
processing time, perhaps there could be an "enhanced security" mode that
requires a more thorough check? I suspect their 1:1,000,000 false-positive
number is an extrapolation of the maximum allowable difference in measurement.
They probably could have set that "fudge factor" to a value that corresponds
to something like 1:1,000,000,000 and increased false negatives to 50%.

Maybe it needs to see more "liveliness" and a few degrees head rotation?

Overall I think with the alertness test, the 48-hour passcode lockout, the
"press the lock button 5 times" panic mode, and a limit on all attempts is
enough to discourage most three letter agencies. It seems to have been enough
with TouchID.

------
theluketaylor
> The probability of a false match is different for twins and siblings that
> look like you

Apple mentioned this on stage, which to me was quite significant since they
don't waste a single word during their keynotes.

They still haven't given approximate collision chances and to me this must
mean they think it's below the 1/50,000 touch id had.

My understanding is fingerprint collisions are highly random. That is very
different from Face ID collisions since they are highly predictable.

~~~
gre
They said in the keynote the chance a random person could unlock your phone
with FaceID is 1 in a million.

~~~
jv22222
Can someone help me understand why @gre got down-votes here? I don't get it.

As far as I remember, in the big reveal, they did make a point of saying that
faceid had a much lower chance of of colliding than the fingerprintid system.

~~~
__jal
I'm not the down-voters, but my guess is due to citing the 1-in-a-million
figure, which is Apple's claim about a _random_ false positive, in response to
a question about false positives with _twins_. Someone reading fast or simply
not thinking critically could come away with the wrong impression.

------
peterwwillis
_" Once it confirms the presence of an attentive face, the TrueDepth camera
projects and reads over 30,000 infrared dots to form a depth map of the face,
along with a 2D infrared image. [..] To counter both digital and physical
spoofs, the TrueDepth camera randomizes the sequence of 2D images and depth
map captures, and projects a device-specific random pattern. [..] the A11
Bionic chip [..] transforms this data into a mathematical representation and
compares that representation to the enrolled facial data."_

So it matches on a math model created using face data and 'a device-specific
random pattern'. So unless someone cracks the algorithms used here, you need
the device data to spoof the model, assuming the pattern is used in a way that
you can't simply ignore it and generate matching models using just a spoofed
face.

 _" We worked with participants from around the world to include a
representative group of people accounting for gender, age, ethnicity, and
other factors."_

If the model is really hugely inclusive, it could be too general. But also it
would be very difficult to get the same number of scans from some minority
populations, and that could affect the functionality of the result.

 _" An additional neural network that’s trained to spot and resist spoofing
defends against attempts to unlock your phone with photos or masks."_

Gruesome thought: what if somebody obtained your face?

Additional thought: could we train the neural network to detect faces under
duress and immediately lock the device?

------
tptacek
I was really unhappy about FaceID last week, but if the attention sensing tech
works reliably, I think it's probably better --- including under duress ---
than TouchID.

~~~
zionic
i wonder if the feds can compel you to open your eyes

~~~
tptacek
It would seem to be extremely difficult for them to compel you to aim them at
a fixed point in space.

~~~
21
The police can forcefully draw your blood with a warrant.

Maybe they can also forcefully sedate you or fix your head/eyes with some
medical device.

~~~
zionic
I wonder if it works on a dead person in a morgue.

------
Manozco
I'm genuinely interested in knowing how apple can tell that FaceID is better
than TouchID

\- TouchID is already very fast

\- I can give access to someone else with TouchID without giving my password

\- It's unlikely that someone will be able to unlock my phone without me
knowing it when using TouchID

\- In case of coercion, I still have the possibility to give the wrong
fingerprint 9 times before the good one

\- I have to voluntary give my agreement with TouchID for an action (think
apple pay)

All of that makes me think that they are trying to sell a feature that is only
due to their engineering team unable to put TouchID on the Iphone X. By every
real world metrics, TouchID is better in my opinion...

~~~
jonknee
> It's unlikely that someone will be able to unlock my phone without me
> knowing it when using TouchID

Do you really think it's likely that someone will steal your phone and then
trick you into looking at your own phone without you realizing it? At that
point you might as well be tricked into putting your finger on a TouchID
sensor.

~~~
Manozco
Well it's definitely possible to have me looking my phone held by someone
else. And it's then too late...

~~~
valuearb
Yea, it’s possible a thief would be so brazen as to return to the scene of the
crime and show you your stolen phone just to unlock it (instead of just
assaulting you till you unlocked it). Who are you worried about, the Mission
Impssibke team?

------
mstolpm
Could someone help me understand? I‘ve read multiple times in this discussion:

> Many (most?) people have more private information on their phones than they
> do in their house

But I can‘t think of any in my situation. Regarding data, almost all is
available on my PC and tablet as well, both staying at home most of the time
and with security features that can be bypassed with enough time/effort.
Moreover, photos, handwritten notes, purchase receipts, bills, love letters
and so on are all at my home or accessible through my home, but not
necessarily stored on my phone. Digital traces about my communications and
travel are available through numerous service providers (mail, cell, isp) ...
no need to break into my phone, either.

So, what is the private data only available on everyone’s phones but not in
their homes? Unsynced, not backuped private notes and photos never shared with
anyone else? Am I missing something (honest question)?

------
swang
I'm pretty late to this and I'm sure this will get buried...

> Face ID data doesn’t leave your device, and is never backed up to iCloud or
> anywhere else. Only in the case that you wish to provide Face ID diagnostic
> data to AppleCare for support will this information be transferred from your
> device. Enabling Face ID Diagnostics requires a digitally signed
> authorization from Apple that’s similar to the one used in the software
> update personalization process. After authorization, you'll be able to
> activate Face ID Diagnostics and begin the setup process from within the
> Settings app of your iPhone X.

What is preventing the government from compelling Apple to give up this key,
and intercept your diagnostic data?

~~~
dkonofalski
Diagnostic data still wouldn't provide anything of value as both sides need to
give up the key for it to be useful.

------
jonknee
> To counter both digital and physical spoofs, the TrueDepth camera randomizes
> the sequence of 2D images and depth map captures, and projects a device-
> specific random pattern.

I await some interesting articles featuring IR imaging after the X ships.

~~~
nsxwolf
How does that counter physical spoofs? If I have the 3D printing technology to
pull off a Mission:Impossible quality mask of my target, what good does a
random IR projection do?

~~~
achamayou
There was a bit in the keynote where they mentioned those and said they’d done
work to prevent them from logging in successfully. They did not elaborate
though. Maybe the IR reflectivity of human skin and usual mask material is
sufficiently different?

------
dippydipdips
"Face ID confirms attention by detecting the direction of your gaze"

So to the argument that police can force you to open your iPhone if secured
with TouchID, is this perhaps more secure? If you refrain from looking at your
phone?

~~~
aeontech
No, any kind of biometric auth is vulnerable to the adversary forcing your
physical compliance.

However you can disable TouchID and FaceID both by pressing the power button
five times in quick succession, after which it will require your passcode.

~~~
eridius
For the iPhone X it's hold both the power button and either volume button for
2 seconds.

~~~
Angostura
Actually, I think that’s the hard reset sequence - replacing the Home Power
combo

~~~
eridius
From the PDF:

> _After initiating power off /Emergency SOS by pressing and holding either
> volume button and the side button simultaneously for 2 seconds._

------
randyrand
Recently I posted this theoretical spoofing attack in a comment. I'm glad to
know they've put in the appropriate measure to detect it - randomly blinking
the IR dot pattern, requiring any spoofed videos to react to the blinking with
very near zero lag (likely sub-microsecond). Specifically, the last step in
this process could be detected because the generated IR video would have a
static dot pattern.

How to (not) hack FaceID: You'd need:

1\. 2 phones (at least 1 with an IR camera, such as another Iphone X)

2\. a helper app

3\. access to 10+ photos of the victim (Facebook typically)

4\. a small mirror

With the helper app:

1\. capture the suspect's phone's unique IR dot pattern by shining their phone
at white piece of paper, recording it with the helper app (the helper phone
needs an IR camera of course, such as another Iphone X)

2\. the app makes 3d model of persons face from the FB pictures

3\. the app generates two animated videos of their face, 1 just a normal color
video and another simulated "IR video" with the unique dot pattern applied

4\. now you need to show the 2 videos to FaceID, using the mirror to show the
color video to the color camera and the IR video the IR camera. Note: It's
still TBD which wavelengths the IR camera are sensitive to and which
wavelengths smartphone screens can put out, so the IR video device may need to
be specially made...

~~~
jagger27
Theoretical countermeasure: I get an IR visible tattoo that you can't see in
my Facebook pictures but FaceID can. I think the level of equipment needed to
pull your attack off couldn't be done off-the-shelf. It seems reasonable that
IR camera would scan in detail greater than that of a typical display (say,
500ppi) and it needs 100,000dpi resolution. Then you need bigger displays,
advanced optics to reduce it to the expected size without distortion, and so
on...

~~~
randyrand
You're overestimating the precision by a couple order of magnitudes.

I suspect the ir camera is a few mega pixels at most.

------
madeofpalk
The diagnostics section is super interesting.

~~~
oflannabhra
Yes, this section hasn't previously been reported or commented on. I wonder if
this is essentially an opt-in to add your face to the FaceID master
dataset[0], or if it is to just allow the developers to see what issues users
are having (and how frequently).

[0] - It's previously been reported
([https://techcrunch.com/2017/09/15/interview-apples-craig-
fed...](https://techcrunch.com/2017/09/15/interview-apples-craig-federighi-
answers-some-burning-questions-about-face-id/amp/)) that Apple collected this
dataset at great expense. The ATP podcast has an account of someone who took
part of that data collection here:
[https://overcast.fm/+CdQoBnmk/1:15:23](https://overcast.fm/+CdQoBnmk/1:15:23)

------
komali2
>You can always use your passcode instead of Face ID, and it’s still required
under the following circumstances:

>The device has received a remote lock command.

I haven't had an iPhone since the 3Gs - how are these sent? Via cellular data
I assume, but is there some app you have to have on your computer?

~~~
virusduck
No, you can send the lock via the iCloud website. Although, to log on, you may
have to use a 2FA code that is sent to your device or home Mac....

~~~
keehun
"Find My iPhone" is available without typing in password or 2FA.

------
mgleason_3
The problem I have is with the lack of TouchID. FaceID is fine. But, I don't
always want to have to stop what I'm doing, loooook at the phone and then
proceed.

Sometimes I even unlock my phone in my pocket to sneak a look.

How do you do that with FaceID when the sensor's been removed?

~~~
ovao
By “removed” do you mean “occluded”?

If you have access to the screen but not to the sensor array, you can use a
passcode. This is obviously very difficult to do when the phone’s in your
pocket, so that’s a very small regression in usability there, but that seems
like an extreme edge case.

~~~
mgleason_3
Pretty sure I mean removed - at least on the iPhone X. "The full edge-to-edge
screen means no more home button. No more home button means no more Touch ID"

>> extreme edge case

OK, maybe. Though I think TouchID has become so quick and natural that we
forget it's even happening. For me it's almost automatic as I pull it from my
pocket. Maybe FaceID will get to that point also.

But I think I'm safe in predicting, at least in the beginning, memes of people
looking with zombie like stares at their phones trying to get them to unlock.

------
andrei_says_
Just wondering, at what point will the face camera data be used to send
feedback to advertisers? Being able to tell if phone users watched (for
example) a youtube ad and with what facial expression dynamics would be worth
something to someone.

------
shishy
How would this work if you wear a burka for example (without having to
"downgrade" to using a passcode, when the real alternative would have just
been TouchID)? Or am I missing something... genuinely curious.

~~~
oflannabhra
FaceID will be incompatible with burqas, just like TouchID is incompatible
with gloves.

~~~
jagger27
What about an IR transparent burqa?

~~~
oflannabhra
FaceID uses a combination of IR and visible light. So, theoretically, if you
had a perfectly EMR-transparent burqa, it would not interfere with FaceID.
Although an EMR-transparent burqa might not even qualify as a burqa anymore.

~~~
MBCook
Does it use visible light? If it’s supposed to work in total darkness that
seems like a problem.

------
royal_ts
I'd like to know how iPhone X users control (play pause) apps directly from
their lockscreens. That no longer works right? Isn't that a major
disadvantage?

~~~
dkonofalski
You have access to control center from anywhere in the OS. There's a "Now
Playing" piece that comes up with a single swipe from the bottom of the
screen. If you're not looking at the screen, Now Playing still displays on the
lock screen.

------
eanzenberg
This is great, and I can't wait to see the accuracy and speed of the faceid
unlock firsthand.

------
m_ke
They should add some sort of integration for lost/stolen iphones that would
allow them record face information of anyone who uses it after the phone has
been reported stolen.

~~~
hk__2
No, because they (and we) don’t want to be able to store face information
server-side.

~~~
m_ke
They wouldn't have to until the phone is reported stolen and the user enables
it.

~~~
MBCook
I think Apple would argue skipper slope there. We’ve seen what the FBI tried a
year or two ago. I have a hard time theybeouldnt try to turn it into a dragnet
or ask for ‘special’ phones that could scan people but retain the data in a
form the FBI could use.

------
suyash
I can't wait to disprove Apple with FaceID False Security promise. Waiting for
my iPhone X.

------
qrbLPHiKpiux
Biometrics are UID's - not passcodes.

~~~
aroman
I agree with you, but features like this are often the difference have some
(decent) security and none at all.

Consider the iPhone prior to TouchID. A lot of people used trivial passcodes,
or no passcodes at all.

~~~
MBCook
Apple had numbers a few years ago (2015?). It was something like 95% without
passwords before TouchID and only 50% after TouchID.

I know people who consider TouchID too much of a hassle.

This doesn’t need to be a perfect solution, it just needs to be more secure
than TouchID (claimed) and more secure than nothing (obviously) while being
easy enough people won’t turn it off (we’ll see).

