Funny thing about those house keys. They can be stolen, lost, or duplicated from pictures. But TouchID and FaceID have liveness tests to prevent forgeries, your biometrics can't be easily stolen, and you can't lose them.
A house key is called a "key" though, so it must be a password, and thus must be secure! And biometrics are just usernames, so they're useless and insecure!
Sarcasm aside, my point is this. Even with the worst biometrics, your phone would be more secure than 99% of houses. And I don't see people complaining about the state of home security...
Ultimately, these username vs. password analogies are shallow understandings of security, and at best flawed.
Biometrics, passwords, house keys, secure dongles, etc. Those are _all_ keys. What they differ in is how reproducible they are, how easily they're lost, and how easily they're bypassed.
For example: Biometrics, when measured by devices with sufficient liveness tests, are robust against forgeries. That means they can't be stolen. This is in contrast to passwords and pincodes, which can be stolen by eyeballs, cameras, audio recording devices, etc. You can use FaceID or TouchID to unlock your phone in front of all the recording devices in the world, and yet still your biometric key won't be stolen.
See how that example comparison is far more interesting and enlightening than "biometrics are usernames, so they're pointless"?
* Of course, when I refer to household locks and keys, I mean your average household lock. There are, of course, premium locks with keys that can't be reproduced. But most houses have locks that you can sneeze on and open.
Home security is a really poor analogy.
* Attacking everybody's house at once is not scalable, unlike attacking many people's electronic devices at once. Furthermore, defending against a SWAT team armed with a search warrant is nigh impossible, no matter what lock you put on your front door.
* The contents of most people's houses is far more weighted to "things which would be a hassle to file with insurance to replace" and less "it would ruin my life if this got into the wrong hands", and their strategy for home defense is weighted as such.
* Many people whose strategy for home defense (well, in the US) is more serious, will weigh more towards weapons / guns and less to the actual locks on the doors. What would a digital equivalent be? A prick of poison for anybody who picks up a phone which doesn't belong to them? The analogy totally breaks down in context.
A locked door and a face-locked iPhone are only the first line of defense, and are largely for convenience's sake in both daily use/as a deterrent and in the case of physically being distant from your property. The "guns" are entirely independent.
Is there a lossless medium which can be used for steganography?
How many formats are there where you can intentionally encode something with meaningless characters?
Except for, you know, family members.
It's a bit harder to upgrade your front door lock in this way.
My gut instinct tells me that this assumption is absurd, but I lack the specific knowledge of these systems to prove it.
You're arrested, and the cops hold the phone up to your face to unlock it. That's a pretty big compromise, and there's literally nothing you can do to prevent it.
If you're arrested then the cops can tie you, grab the keys and unlock your door "and there's literally nothing you can do to prevent it.".
Also some guy can just make a copy your key (pretty trivial) -- heck people can even break your door bypassing the key altogether.
In the phone case, they don't need a warrant if your authentication method is literally your face.
Detective: "Is this yours?"
_Suspect glances in the direction indicated, phone unlocks._
Detective: "Nevermind, I got it from here."
At least TouchID required physical assault to get you to unlock the phone. FaceID on the other hand can be defeated with perfectly legal attention grabbing techniques.
Without a warrant: No information taken from your phone by the police is admissible.
With a warrant: A judge can compel you to unlock any device with a biometric lock, regardless of what sort of biometric lock we are discussing. Fingerprint, iris scan, or face, it simply does not matter.
Fruit of the poisonous tree is a legal metaphor in the United States used to describe evidence that is obtained illegally.
For example, if a police officer conducted an unconstitutional search of a home and obtained a key to a train station locker, and evidence of a crime came from the locker, that evidence would most likely be excluded under the fruit of the poisonous tree legal doctrine.
Border agents operate under a different set of rules and have been searching mobile devices without a warrant or even probable cause.
However the ACLU and EFF have filed a new lawsuit challenging this behavior, now that the Supreme Court has ruled that the police cannot conduct warrantless searches of cell phones inside the US.
Doesn't (or can't) law enforcement also use parallel construction (based on information obtained without a warrant)? I believe the point about what's admissible is not as clear cut as you state in a single sentence.
And even there, would this stop a police force who routinely abuses, beats up, or even kills innocent people on the street for no or imagined provocation?
Depends on the country. Not everywhere, including western Europe, is this true.
If all 3 of these are true, you need a warrant (at least in the US). Doesn't matter if the keys, or in this case your face, are right there. The fact that you locked your phone with something the cop doesn't normally have is enough to require a warrant.
For one, there are tons of loopholes, from border searches to "evidence of criminal activity" (dead easy to "prove" for a black/latino/poor person and have the court agree), and unless you can afford a good lawyer, good luck trying to prove your rights were violated:
Not to mention that warrants are not that difficult to obtain either -- except in the movies.
Nobody's saying that home security is good. The point the parent was making is that, even with a "liveness test", compared to other biometric identification, this is a regression from fingerprint-based authentication for the iPhone.
You think they can force you to look at it ("engage" with it) but not touch the phone?
Honestly, the easiest attack would just be to ask me about my dogs. 99.99% chance I'll unlock my phone, pull up pictures and show them to you (easy grab) or just hand you the phone and let you browse through them.
is how you work around that issue.
Keep in mind, you don't need to refuse to TouchID/FaceID forever, just for the timeout (which I do wish was configurable -- I think one hour is reasonable).
1. You're walking, with your phone in your pocket.
2. Suddenly, a cop accosts you. You don't have time to react.
3. They detain and restrain you (with handcuffs or otherwise)
4. They pat you down and find your phone
5. They hold up your phone to your face to unlock it
I know that people who've never been detained or interacted much with cops think that this is a completely unlikely situation, or easily avoidable, but I promise you it is not.
TouchID isn't great from a law enforcement perspective, but it's light years ahead of FaceID.
FaceID / TouchID are a "convenience" to be used when you are comfortable with your surroundings. Can you be caught off guard even when you are paranoid? Of course, nothing is ever guaranteed in life, except death and taxes as the saying goes!
You and I have incredibly different experiences of policing and detention if, for you, "be proactive when you're at-risk" is appreciably different from saying "don't use FaceID ever".
If you are in such high risk situations continuously that "be proactive when you're at-risk" is appreciably the same as "don't use FaceID ever", then I say you are doing something very wrong and not just incidentally being stopped for a suspicion of possibly doing something wrong.
Either way, your experience is definitely not in the 99.9999% of the population which FaceID would be sufficiently safe if it proves to be as secure as Apple implies. For you, let's hope you aren't using a numeric pin code either!
The biometric attacks being discussed here are ones that could quite plausibly be used against you in many/most districts in the US, and be totally legal for the police to use.
5. They take your hand and place it on the fingerprint sensor.
Ignoring #2 (and the terrible language you used), I don't see how my scenario is significantly more or less likely than yours.
Have you ever been detained?
As far as I'm concerned, "refuse to look at it" is useful as a prevention tactic as not having any lock at all.
I'm honestly curious, what's the difference between "I refuse to look at my phone" and "I refuse to enter my PIN" when being detained?
It's in the marketing materials for the phone, was mentioned multiple times on stage during the introduction, and is in the introduction to the whitepaper that this entire HN thread is about. So yeah - a couple of sources are available...
Yeah, I'm going to say that this is an absolutely unrealistic expectation to have of someone who's just gotten detained and is concerned about having the contents of their phone viewed by law enforcement.
"Make sure that you don't open your eyes at any point in the direction where they might be holding your phone" is completely unactionable.
As is the assumption you won't be forced to touch your finger to the phone. I can assure you, if someone wants into your phone bad enough, they will break your fingers if thats what it takes.
Or you can apply a threat model and determine whether the people for whom TouchID/FaceID is keeping your phone secure against would have the resources to mount such an attack.
You can turn it off.
Is "don't use a lock" really the answer to "my key was stolen"?
The only risk is if somebody cracks the entire FaceID model and Apple cannot fix it in software. But even then, you would still disable FaceID and either return your phone or wait for a recall.
Did you even read what I wrote? You would turn off FaceID and revert back to a passcode/passphrase until it is fixed in software.
From the PDF:
"Once it confirms the presence of an attentive face, the TrueDepth camera
projects and reads over 30,000 infrared dots to form a depth map of the face,
along with a 2D infrared image. This data is used to create a sequence of 2D
images and depth maps, which are digitally signed and sent to the Secure
Enclave. To counter both digital and physical spoofs, the TrueDepth camera
randomizes the sequence of 2D images and depth map captures, and projects
a device-specific random pattern. A portion of the A11 Bionic chip’s neural
engine—protected within the Secure Enclave—transforms this data into a
mathematical representation and compares that representation to the enrolled
facial data. This enrolled facial data is itself a mathematical representation of
your face captured across a variety of poses. "
So, it's more like a hash of your face, which is very similar to how TouchID works. So, again, even if someone were able to break into the secure enclave and get that data, what could they do with it? It's a representation of yourself that is used for Apple devices.
Also, this is an OPTIONAL feature. If it doesn't fit your security model, don't use it. For the same reason a lot of people don't use TouchID -- they want the security of a passphrase. But for 90%+ of people that will buy that phone and are not at risk of the government or police pursuing them, the security it offers is more than adequate and it achieves this by not annoying the user and requiring them to have a 50 character passphrase.
This is trivial to do if the person is in custody. You could also profile a specific target and get their face walking past them on the street. You could do this in bulk in a public place.
Now your face is compromised and the person who stole it likely posesses your phone and is unlocking it now. You can't change your face, but it's too late anyway. You live in an oppressive regime, they found out you're gay from what they found in your phone, and you're going to be hanged in a week.
You can’t ‘get their face’ if they’re ‘walking by’, you have to go through the whole enrollment. How are you going to trick them into that?
Also even if they go through some Herculean process to get your ‘face hash’ Apple could simply change the hash algorithm and reset it. For all we know different phones will use a different per-device random seed in the algorithm and that attack wouldn’t work at all even if the algorithm isn’t changed.
Again, you’re talking about getting a fully accurate 3D model of someone’s face that passes the FaceID tests and can be used to trick the attention sensors. That’s an INSANE level of effort for Joe random.
This is not a realistic attack, and FaceID is not designed to secure anyone at any time from any government with unlimited funds and resources. It’s designed to be better than the trivial passcodes that almost no one used.
Second, the point of using an IR image (in addition to the depth image) is that a simple 3D print is not going to provide valid spoofing - it will not match the IR absorption profile of a live face. Additionally, they are also likely testing for liveness by looking for changes from image to image, even if it’s just saccades of the eyes.
Third, Apple implies that they are taking a sequence of images. They can, for example, look for changes in IR images associated with blood flow correlated with your heartbeat, which prove you are alive and may be distinguishing from individual to individual. The secure enclave could also request specific changes in the images that can’t be predicted in advance, thus foiling attempts at feeding in canned images.
In short, I don’t think it’s anywhere near as simple as you propose.
> To counter both digital and physical spoofs, the TrueDepth camera randomizes the sequence of 2D images and depth map captures, and projects a device-specific random pattern.
> An additional neural network that’s trained to spot and resist spoofing defends against attempts to unlock your phone with photos or masks.
It's effectiveness is yet to be seen, but the implementation details counter all the points you made.
Either way, let's say this attack you're talking about is possible. What % of people that buy this phone are actually going to be at risk of someone taking their phone apart to compromise them in this way? This method you explained is in no way "trivial." If you're Edward Snowden, don't use this feature. Simple as that. But I wouldn't use TouchID if I was Snowden either.
Judging by your last paragraph, though, I'm guessing you're trolling. Have a nice day.
You don't need to shut off the phone to get into the hardware.
>What % of people that buy this phone are actually going to be at risk of someone taking their phone apart to compromise them in this way? This method you explained is in no way "trivial."
On the other hand, I bet a company could easily implement such an attack on the cheap and sell it to LE, who would just pass the costs on to the defendant.
>Judging by your last paragraph, though, I'm guessing you're trolling. Have a nice day.
I'm setting the stakes. If you're not up for the discussion that's up to you.
Do you mean row hammer  or cold boot attack ?
I'm genuinely curious if this has been done before and if you can provide examples.
Its not merely secret service who can do this. Criminals can do it as well. The easy part of it? Your fingerprint is left all over your device. Including likely the one you authenticate with. If its your index finger of your primary hand, its bingo.
A fake 2G cell tower costs 250 EUR on the black market. That's also a bad way to use TOTP. However, 15 years ago those devices were either not sold or still very expensive. That's a different threat model.
FaceID is going to be hacked eventually (the question is when, not if), perhaps in the way you described. Until then it is reasonably good to keep criminals who steal your device at bay. Its also worth it to audit it (try to break it, e.g. in the way you described). State agencies, unlikely to keep those at bay with FaceID, given they can force you to authenticate. Criminals who mug you by force may also be able to force you to remove FaceID, but they may also compel you to give away your PIN. Government has already made devices to bruteforce PINs; we should've swapped to passwords ages ago.
While I am sure it is not impossible, nobody has been able to provably "trick" the current-generation Touch ID sensor. Only demonstrated on the first revision (found in the iPhone 5s, and possibly the iPhone 6 too).
I submitted this earlier today but it didn’t get traction.
Basically it could be done.
The fingerprint argument isn’t an argument against FaceID. And it’s still kind of pointless because Apple put out figures a few years ago that TouchID lead to a ~50% INCREASE in locked phones.
You seem to be arguing that a secure passcode without biometrics is better. It seems that if the public can’t use biometrics they prefer NO security. So even with that ‘flaw’ it’s no worse (often MICH better) for everyone.
“Biometrics are evil because you can’t change them.” Or “They’re usernames/passwords/whatever.” Or “FaceID can be subverted by a nation state with 3 years and $75 trillion”. Or “You can just unlock it with a single picture from Twitter.”
And of course “If only they added an esoteric and complex method of unlocking a fake environment under duress by winking the word tomato backward in French Morse code...”
None of it seems helpful. Using a FaceID discussion to argue TouchID is insecure... seems pointless. The arguments about how it can be bypassed (supposedly) with JUST a 3D printer and thousands of high resolution photos and a video of you looking into a camera and........ come on. This stuff would be unbelievable in an Oceans 11 sequel.
And people argue as if FaceID has to be perfect when it replaces a fingerprint (which is easier to fake) or basically nothing. We’re not securing the Crown Jewels here. We’re trying to keep the guy next to you at the bar from tweeting as you.
So in the end there is no useful on top discussion. It’s just a irrelevant story that people can use to tell about their pet biometric issues even when they don’t fit.
People are still arguing about things Apple said during the initial keynote. The only one I don’t see from before is the ‘will it work in the dark’ question which Apple explicitly mentioned in the keynote.
I want to know more about FaceID from people who know more about security. Instead we’re discussing how the technology it replaced is bad and fringe internet conspiracy theory level nonsense.
Edit to add one more thing: maybe this is rose colored glasses but I don’t remember the threads around TouchID being anywhere near this bad. People argued over how easy it was to get a fingerprint, sure. That’s fair. But the rest of the discussion seemed much more relevant.
Plenty of phones and cameras have 3D capability. That kind of tech is already being used in cosmetology courses to 3D print a model of your own face and hair for hairstyling practice. It wouldn't be that difficult to make a warm 3D mask to fool the infrared camera and sensors.
I mean sure you can knock someone out and use a handheld 3D scanner to get a whole bunch of good shots of them but that’s hardly someone walking down the street and you getting a quick grab of their face.
My point isn’t that it’s impossible it’s that it’s not feasible for any normal person or group without a large and noticeable undertaking. These are not reasonable threat models for normal people.
With a Lytro camera you could do it from just about any distance.
"but that’s hardly someone walking down the street and you getting a quick grab of their face."
All you have to do is even look remotely interested in your phone and pretend you're not taking a picture - boom info gotten surreptitiously. That's assuming the other person you're copying biometrics from is even paying attention - odds are they're probably too focused on their own phone to notice.
A very narrow bandwidth of IR thanks to what we term the "Infrared Window," which is trivially easy to duplicate or fool, as it's one of the same IR bands used for surface mineralogy done via satellite.
I'm really not oversimplifying at all; I am applying knowledge in fields in which I am competent to say "You think it can't be that easy, here's how easy it can really be."
Houses and cars are 1000% not secure, you can always break a window and get access. That's why they have ARMORED cars and bank VAULTS or safes.
However, if you break a window, or drill a hole in a safe, there is "visible sign of forced entry".
When you see a broken window by your front door, when you see a broken window on your car, when you see a hole cut through sheetrock next to your door, or you see your door blasted off it's hinges, you know that the security of the device has been compromised.
That's truly what's missing on device security nowadays: "Signs of Forced Entry" ... number of incorrect password attempts, number of incorrect FaceID / TouchID attempts, etc.
And if your device is rooted or untrusted, then there's often not a good, trusted, visible way to see that security has been actually compromised (as opposed to attempted to be compromised).
To my mind, privacy is often the most important difference. There are a lot more private things on my phone than in my house, honestly -- a phone these days is often almost an extension of the mind. Which is why we should hold it to a higher standard.
I personally have no problems with TouchID/FaceID, I think the secure enclave is great, but I still think there's a lot of room for improvement, better sandboxing of data, better tripwires for when data is accessed/transferred, etc.
How often do you get arrested where that edge case is a legitimate concern?
If being arrested were a legitimate concern, why would you keep data on your phone that would implicate you in a crime?
If you were in a higher risk group (i.e. a drug dealer,) why not disable Face ID? Use a six digit pin and be done with it.
I am not particularly worried about cops, I am worried about losing my phone and having some jackass using my data to fill his bank account.
Political dissidents are the group I'm concerned about. Police are very interested in extracting contact lists from activists' phones in order to build a model of their social networks and infiltrate/disrupt them. This is a pervasive problem.
Yes, the answer is to get people to turn off FaceID if they're at risk, but educating large groups of at-risk people is hard, and it would be better if this feature were not turned on by default.
You already have to educate them to use a password, is it that hard to say ‘and don’t use biometrics either’?
And does it matter? If a government wants to repress they’ll do it. They’ll beat you or harass you or something like that.
“Well we think you’re trying to overthrow us but FaceID is turned off on your phone. I guess we’ll give up today. You’re free to go, have a nice time. ”
Your understanding of the current state of the law is very wrong.
There's a person in the US  who has been in jail for multiple years now without being tried / convicted due to refusing to provide access to their devices.
There's another case with a warrant allowing an officer to force someone to unlock their phone protected by TouchID.
I have also heard multiple US states have enacted laws specifically addressing device unlock, but I don't have links to them at the moment.
That is a very wrong statement. I don’t care if things changed a year or more ago, it doesn’t make it any less wrong now. I of course meant no offense to you, but legal statements which are wrong could easily mislead someone and the emphasis is necessary. Apologies if offense was taken!
I agree that the description you provide is generally correct.
So a PIN alone would've been more secure. It'd have cost the government more effort to crack. A strong password or TOTP would've been a better solution. Pref. 2FA w/both.
You could use FaceID as 2FA, but then people need to keep in mind that its a very weak chain in the 2FA. They still need a strong other factor ie. a strong password.
You know how and where Ross Anderson was busted?
This is peanuts to beat. You bust the target whilst they're on a dinner having a drink, or right after they went asleep. The government knows your current position, and knows when you're asleep. Once this has become the status quo, rest assured cops with a police warrant wouldn't enter anymore at 6 AM right before you wake up but at 1 AM right after you went asleep (but before your FaceID would time out).
> (which would be very rare since it would just require you to squeeze both sides and you'd have the chance to do that while performing the action of handing your phone over).
Law enforcement will adapt very quickly to that if this becomes the status quo. They'll first and foremost bust your hands, so that you are unable to lock your phone. Then they hold the phone before you and voila, unlocked.
In encryption terms, logging in with biometrics is "vs. kid sister" security, not "vs. major government" security.
> If you are so concerned about security that you think there is a good chance someone is going to physically attack you to get into your phone, you should just assume someone will get into your phone eventually, and don't keep any sensitive data on it. For the other 99.9999% of the population, face id is good enough.
I don't understand this statistic. Are you arguing 99.9999% of all phones aren't a potential target of being stolen? Are you arguing 99.9999% of all people's data isn't interesting to authorities? You're being overly optimistic about FaceID.
No, I'm saying that, for effectively everyone, there are way easier ways to get into their phone than through FaceID, for example by just taking their phone while they are using it. So for effectively everyone, FaceID will not change their security risk, because there is no motivation for anyone to try and bypass their FaceID when there are easier attack vectors - especially when you are able to disable FaceID the second you feel you are being threatened.
1. Many (most?) people have more private information on their phones than they do in their house, and there is different risks of each being compromised, so there should be different standards.
2. My impression of the security community is that pretty much everyone uniformly agrees that home security is garbage and needs to be improved.
Also, OP says you can't lose your biometrics. You can, it's just painful and you'll not be the least bit happy about it.
Consider for a moment the baklava . A baklava increases anonymity of an attacker (ie. burglar in our discussion), but also increases suspiciousness of victims and 3rd parties (ie. innocent bystanders, witnesses).
Physical burglary has many of these nuances, trade-offs.
A key on a front door is meant to keep an attacker out for as long as they get caught and/or identified, or become afraid they get caught and/or identified. It isn't meant to stop an attacker to enter a house. If an attacker wants to enter your house, they can just break in via a window. Various techniques exist for that, some are noisy, others are more sophisticated and aren't noisy.
Someone who's trying to enter via a window by night though is suspicious which means the attacker might be noticed and get caught. Most normal house keys [at least here in NL] are very cheap and have a lot of vulnerabilities, they have weak entropy (e.g. 6 entries with 6 options each), or are vulnerable via lock bumping (takes max 10 sec to enter and doesn't look very suspicious).
With electronic devices, its more binary, but it depends a lot on whom you're defending against. Petty criminals, technical criminals, or state actors.
> This is in contrast to passwords and pincodes, which can be stolen by eyeballs, cameras, audio recording devices, etc.
Yes, passwords can be stolen by eyeballs and cameras and Van Eck phreaking (TEMPEST). However if combined with TOTP it becomes something you have and something you know. Facial recognition is just a form of something you have, and the key cannot be changed.
They key can be put off, but that is not more secure than having TOTP on your watch (with yes/no button) and being able to disable the authentication method on your phone by pressing the power button 5 times.
Liveness is just obscurity. Its gonna be insecure at some point, and you'll be begging Apple for a newer, more secure solution at that point. Pray they still support your advice by then.
 Yes, thank you, balaclava (bivakmuts in my primary language). I have difficulty pronouncing and remembering the word. I'll keep it as-is for readability of the discussion, and for admitting my mistake.
And you can't build a remote identity verification with this data, because there's no way for the user to change it and revoke it (let alone it's very privacy sensitive).
The biometric access control systems (the one "in the movies", palm recognition, retina scanners...) implicitly assume that the connection between the sensor and the central server is secure, and that the user authorized it's data to be in the database. This model doesn't apply to "general users" and "internet companies".
Research in biometric security aims at finding functions of your biometric data that can be revoked and it's not privacy sensitive.
Edit: with "revoke" I don't mean remove it. I mean revoke one and set another one, like you can do for a password/pin, or for a phone number/hw device.
Tell that to virtually all the governments around the world, who are now building databases of everyone's fingerprints, from "needing them" for passports to national IDs.
Also that is the problem, because those biometric signatures can be hacked. It's way harder to hack into 1 billion devices to steal everyone's biometric signature. That is a feature not a problem.
Yes, that is the problem. No, biometrics are not password. Please stop spouting this nonsense? Biometrics are akin to username; they suggest your identity, but don't authenticate you. They should not be used as password because they cannot be changed, and cannot be kept secret. A password (or better, TOTP authentication) can be changed, and can be kept secret; a hardware fingerprint scanner (or face or iris scanner) cannot be changed, and can be faked by any semi-intelligent person or organization. Fingerprint can already be stolen and used in identity theft. We saw this various years ago in CCC when a German minister got his/her fingerprints stolen as a way to prove the insecurity. It is only a matter of time when the common people learn about how to trick face recognition and iris recognition. In the meantime, strong passwords and (preferably) TOTP is secure. Use that instead.
> Research in biometric security aims at finding functions of your biometric data that can be revoked and it's not privacy sensitive.
Cat and mouse game, and wrong premise: biometrics cannot be revoked. They're permanent.
I still disagree on the username. You know my username here and on twitter, you don't know my fingerprint. And no, you can't repro my fingerprint so easily as you think because "fingerprint reader" is a short for a sophisticated piece of hardware that measures other things, e.g. blood pressure.
On the research, I didn't say biometrics can be revoked. I said you can build a function of biometrics info, whose result can be revoked . No one is disagreeing with your premises, but this doesn't mean that the problem has no solutions.
Fingerprints are very different from face. Someone has to actually follow you around and clone your fingerprint from something you touched.
With facial unlock, as virtually all previous systems have demonstrated, you usually only need someone's online photo, or a close variation of that to unlock a device/system that uses face unlock.
With everyone plastering their photos in high resolution all over the web these days, and with machine learning advancing so fast these days, how long until a system like this is defeated?
Do you really think "3D photos" of you can't be created? Or even ones that test for "liveness". What exactly do you think that "liveness test" is? It's just an algorithm that Apple uses. That algorithm can be reverse-engineered.
Also, Apple's Face ID has a False Acceptance Rate of 1 million versus TouchID "only" 50,000, is very misleading. That metric only works when you think of an attacker throwing completely random faces at the system. Do you think an attacker that wants your phone is going to throw random faces at the device? Or do you think it's far more likely that it will start building that 3D profile out of your high-resolution online photos?
Suddenly that 1 million FAR becomes much smaller, as the difference in profile from what the attacker has already gathered on you from public websites is much smaller than how you look like in real life.
This is what may actually make the Face ID system less secure overall than TouchID. It's just way way easier to get someone's pictures than it is to get their fingerprints.
I believe it was doing infrared detection.
It's akin to having multiple wallets when visiting high-theft areas. Get held up by an armed thief and give them the cash in the visible wallet, while holding back what's hidden in another location.
The practical applications of this are close to nil.
The government will not be fooled for one second because they can cross reference enough sources to know if you are lying. All this will do is get you slapped with a felony:
If it is a criminal instead, well, they don't have to tiptoe around moral, ethical or legal concerns. They already have a gun pointed at your head. You act funny, you get shot. Do you want to risk a bullet in your head?
I fail to see the advantage of this mode. Ultimately it will only get you into more trouble.
The idea of using them as secure devices should probably stop, at least until they are actually secure. Moreover, if you're committing crimes, maybe don't record them in a way that is recoverable. Not that you should necessarily be a criminal but, if you're going to be a criminal, you should probably be a safe criminal.
Don't text me saying you need a G for the yayo. The cops know what that means.
That doesn't mean they are useless, just that I consider them compromised right out of the box. I treat it accordingly and will recommend others do the same until they are much more secure.
They are great for lots of things. Privacy and security are not among those things.
I just think that a duress mode with facial recognition (that also has to account for eye-wear, makeup, and various environmental changes) is going to have a difficult time creating a duress mode. Whereas a dual password system is easy to implement.
OR you could use the face as a username, as many suggest, and a short 4 pin password. You could easily have a duress password option (which as far as I know doesn't exist), still quickly log in, AND have fairly good security.
I strongly dislike this kind of waving away an important feature request. These days anybody crossing the border of the USA could be asked to unlock their phone. I'd say that's at least a larger percentage of the "population" (whatever population you meant) than "0.0001%".
I could easily say I dislike people making up rediculous corner cases and demanding new technology be designed for it and being deployed.
Are there any authorization methods on any kind of mainstream devices that provide that capability?
I tend to agree that it’s not actually useful and would be incredible hard to implement, all for a case where most people will just give in to avoid harm and forget the option, if it’s even on, exists so they can’t activate it.
As another commentor said, you can't expect Apple (or any manufacturer) to build all these extreme corner cases. If you don't want to unlock your phone at the border, put it in your checked luggage or ship it to your hotel/destination.
If you still think that Apple should build something like this because it's important and serves a non zero % of the population... I'd also like Apple to build...
1. FaceID that will tell me when I have something in my teeth
2. FaceID that will tell me when my hair is messy
3. an iPhone that listens to my voice and detect when I might be sick and orders cough syrup
4. an iPhone accelerometer that detects when I am limping and books a physio appointment
5. an iPhone camera that can detect when someone is watching me in the distance
6. an iPhone that will passively listen for gunfire and tell me to seek cover.
See how feature requests can get out of control.
This should also be available to fingerprint readers, as the suggest "gesture" would be even easier: just use a different fingerprint (you can set the fingerprint that everyone expects you to use as the "other fingerprint", and use some other fingerprint as your default one).
It should also work with passwords, etc.
The would-be thief, assuming he knows about the "duress mode" (which isn't a bold assumption considering the large black market for stolen iPhones), would recognize that you've logged in to something strange, that doesn't show any useful data. They'd just pull back the hammer on their pistol and tell you to try again.
I has something else: Don't unlock under duress. You press one of the buttons five times, and the police or a robber can't use your biometrics to unlock it.
It's not the same thing as what you're looking for, but interesting still.
There are circumstances that Apple are obliged to provide with law enforcement what they have, and can't tell you that they provided it.
Having said that, nothing beats an unsynced phone with a long password. No faceId, no AI recognition, no iris, no fingerprint. Just a good old long password.
Where exactly is Apple storing the entire content of your iOS device unencrypted? Hint - they're not...
But so does your face if it's been wearing a balaclava in the cold (some parts will be cold and some will be warm...
> The flood illuminator produces infrared (IR) light, part of the electromagnetic spectrum that's invisible to the naked eye, to illuminate your face;
I guess that leads back to my question (in another comment) about whether or not face paint would effect it.
I’m guessing they only use the camera to read the positions of the dots projected onto the face. I don’t think they care about the ‘color’ of the face or how hot it is thermally.
They’ve said they’re projecting the infrared dots? Have they said they’re doing any other kind of infrared illumination like the kind that can show blood vessels?
I’m curious to see if face paint (assuming it reflects IR to a reasonable degree) interferes with FaceID. If it does they’re using more than just the dots for geometry. On the other hand if it doesn’t then the can’t be paying attention to things like IR emissions from the skin since it would be covered and thus heavily dampened.
Now I’m even more curious about the face paint.
* Does one explicitly set up their FaceID with the option to skip, like how TouchID works currently? I see (when...enabled) verbiage, which is a good sign.
* "The probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID)"
If you have a face that causes most people you meet to say "oh, you look like X, Y, or Z", is this probability reduced? Other comments noted Twins. This isn't meant to be humorous or tongue-and-cheek, there could be a precedent that people of certain appearances are easily spoofed.
* "To avoid a user having to reenroll to Face ID when these neural network changes are made, iPhone X will be able to automatically run stored enrollment images through the updated neural network."
I guess a layperson would see the words "automatically" and relax, but this leaves more to be desired in explaining the "Secure Enclave" to me. The Name "Secure Enclave" almost sounded like remote storage until I read that the data never leaves the device.
Thanks for the downvotes for questions!
Of course. See "Face ID requires a facial match — or optionally the passcode — at every wake." and "If you're concerned about [matching with a twin], we recommend using a passcode to authenticate."
I was really hoping they'd provide the probability for identical twins, but maybe they don't have enough data to give a specific number on this (I assume most of their data comes from people without identical twins).
Also regarding the "evil twin" thing, evil twins came from another dimension so, aside from the goatee, they really were literally identical down to every last detail. It's unclear to me if that joke was meant as "your identical twin will be able to unlock your phone, so hopefully they aren't evil", or was just meant as "someone who looks like you might be able to unlock your phone". Probably a bit of both. But this is why I want to know what the actual probability is that an identical twin can unlock the phone. Maybe it really is 1 : 1, but maybe it's not.
Maybe it needs to see more "liveliness" and a few degrees head rotation?
Overall I think with the alertness test, the 48-hour passcode lockout, the "press the lock button 5 times" panic mode, and a limit on all attempts is enough to discourage most three letter agencies. It seems to have been enough with TouchID.
Apple mentioned this on stage, which to me was quite significant since they don't waste a single word during their keynotes.
They still haven't given approximate collision chances and to me this must mean they think it's below the 1/50,000 touch id had.
My understanding is fingerprint collisions are highly random. That is very different from Face ID collisions since they are highly predictable.
"Dylan and Luke are bounty-hunters of a new breed. They have to find the long-lost twins of suspects on FBI's Most Wanted list. On this episode of Face Hunters..."
Sounds like a movie plot to me (I made a guess at one if you dig through my comment history).
As far as I remember, in the big reveal, they did make a point of saying that faceid had a much lower chance of of colliding than the fingerprintid system.
> The probability of a false match is different for twins and siblings that look like you
So that means the 1 in a 1,000,000 chance doesn't make sense here because Apple said the probability is different in regards to twins and siblings that look like you. So @gre just spouted off the statistic when OP was asking what the probability might be in regards to twins and siblings, because Apple says that it is different.
So it matches on a math model created using face data and 'a device-specific random pattern'. So unless someone cracks the algorithms used here, you need the device data to spoof the model, assuming the pattern is used in a way that you can't simply ignore it and generate matching models using just a spoofed face.
"We worked with participants from around the world to include a representative group of people accounting for gender, age, ethnicity, and other factors."
If the model is really hugely inclusive, it could be too general. But also it would be very difficult to get the same number of scans from some minority populations, and that could affect the functionality of the result.
"An additional neural network that’s trained to spot and
resist spoofing defends against attempts to unlock your phone with photos or masks."
Gruesome thought: what if somebody obtained your face?
Additional thought: could we train the neural network to detect faces under duress and immediately lock the device?
Maybe they can also forcefully sedate you or fix your head/eyes with some medical device.
- TouchID is already very fast
- I can give access to someone else with TouchID without giving my password
- It's unlikely that someone will be able to unlock my phone without me knowing it when using TouchID
- In case of coercion, I still have the possibility to give the wrong fingerprint 9 times before the good one
- I have to voluntary give my agreement with TouchID for an action (think apple pay)
All of that makes me think that they are trying to sell a feature that is only due to their engineering team unable to put TouchID on the Iphone X.
By every real world metrics, TouchID is better in my opinion...
I highly doubt it’s easier to add FaceID than TouchID to any phone.
> Apple made this decision well over a year ago. Perhaps the fundamental goal of iPhone X was to get as close as they could to an edge-to-edge display. No chin whatsoever. There were, of course, early attempts to embed a Touch ID sensor under the display as a Plan B. But Apple became convinced that Face ID was the way to go over a year ago. I heard this yesterday from multiple people at Apple, including engineers who’ve been working on the iPhone X project for a very long time. They stopped pursuing Touch ID under the display not because they couldn’t do it, but because they decided they didn’t need it. I do believe it’s true that they never got Touch ID working, but that’s because they abandoned it in favor of Face ID early.
> I don’t know why recent supply chain rumors suggest Apple was scrambling to get Touch ID working on iPhone X as late as this summer, and no one at Apple seems to know either. Disinformation campaign from competitors?
A physical keyboard on the other hand makes a phone at least twice as thick, twice as heavy, and twice as ugly (although the last one is more subjective).
Do you really think it's likely that someone will steal your phone and then trick you into looking at your own phone without you realizing it? At that point you might as well be tricked into putting your finger on a TouchID sensor.
The real question to me, a person in the FR industry, will Apple iterate their camera hardware and extend the perception depth range to be competitive in the larger FR surveillance industry? The general FR industry has to recognize multiple people at a distance, and then IoT-like control other hardware, a game Apple is not touching with Face ID - yet.
I hope they continue the product lines they currently have for the phone: the experimental expensive one, the "normal" and Plus iterative ones, and the not-as-fancy-but-fits-in-my-small-hands one.
- Less user-interaction to authenticate (though as you point out this is also a negative)
- Allows for other UX improvements, e.g., maintaining screen lighting while phone is being observed but not manipulated
- My speculation: capacity to add additional faces will be added with SW (or next HW) update
I don't understand your point #3. How do you think someone would unlock your phone with Face ID?
It requires your face + your attention.
They can also present the facts in a misleading way that makes FaceID seem better. At the end of the day, you can never truly trust the company to present a fair review of their own device, and that's why reviewers exist.
> Many (most?) people have more private information on their phones than they do in their house
But I can‘t think of any in my situation. Regarding data, almost all is available on my PC and tablet as well, both staying at home most of the time and with security features that can be bypassed with enough time/effort. Moreover, photos, handwritten notes, purchase receipts, bills, love letters and so on are all at my home or accessible through my home, but not necessarily stored on my phone. Digital traces about my communications and travel are available through numerous service providers (mail, cell, isp) ... no need to break into my phone, either.
So, what is the private data only available on everyone’s phones but not in their homes? Unsynced, not backuped private notes and photos never shared with anyone else? Am I missing something (honest question)?
> Face ID data doesn’t leave your device, and is never backed up to iCloud or anywhere else. Only in the case that you wish to provide Face ID diagnostic data to AppleCare for support will this information be transferred from your device. Enabling Face ID Diagnostics requires a digitally signed authorization from Apple that’s similar to the one used in the software update personalization process. After authorization, you'll be able to activate Face ID Diagnostics and begin the setup process from within the Settings app of your iPhone X.
What is preventing the government from compelling Apple to give up this key, and intercept your diagnostic data?
I await some interesting articles featuring IR imaging after the X ships.
So to the argument that police can force you to open your iPhone if secured with TouchID, is this perhaps more secure? If you refrain from looking at your phone?
Follow you until you make a phone call, or do something that requires you to unlock your phone. Then multiple people descend on you and grab you and your phone.
However you can disable TouchID and FaceID both by pressing the power button five times in quick succession, after which it will require your passcode.
> After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.
This seems effective "on paper, but not in practice." Even if you're innocent, it is one of the most nerve-racking experiences to go through.
In the heat of the moment, what if you used an old 5s method to deactivate TouchID instead of whatever method works for the X?
I would prefer it to be a double-tap on the power button, or at the very absolute worse, a triple tap. Two buttons simultaneously five times? Impossible to do under any sort of external pressure/duress.
Power button 5x on any other phone.
You press either one of the volume buttons on one side of the phone while also pressing the sleep/wake button on the opposite side.
If history is a guide, this will be a new normal that will carry through to future hardware as well.
Unfortunately, (myself included), we are so conditioned to look at your phone when it is out in our face that you would have to actively train against this "reflex".
The best decryption algorithm is still rubber hose decryption.