Hacker News new | past | comments | ask | show | jobs | submit login
FaceID Security [pdf] (images.apple.com)
250 points by MBCook on Sept 27, 2017 | hide | past | web | favorite | 304 comments



I'll bet most people who dismiss TouchID and FaceID as useless because they're "usernames" and not "passwords", have a bog standard lock and key on their house.

Funny thing about those house keys. They can be stolen, lost, or duplicated from pictures. But TouchID and FaceID have liveness tests to prevent forgeries, your biometrics can't be easily stolen, and you can't lose them.

A house key is called a "key" though, so it must be a password, and thus must be secure! And biometrics are just usernames, so they're useless and insecure!

Sarcasm aside, my point is this. Even with the worst biometrics, your phone would be more secure than 99% of houses. And I don't see people complaining about the state of home security...

Ultimately, these username vs. password analogies are shallow understandings of security, and at best flawed.

Biometrics, passwords, house keys, secure dongles, etc. Those are _all_ keys. What they differ in is how reproducible they are, how easily they're lost, and how easily they're bypassed.

For example: Biometrics, when measured by devices with sufficient liveness tests, are robust against forgeries. That means they can't be stolen. This is in contrast to passwords and pincodes, which can be stolen by eyeballs, cameras, audio recording devices, etc. You can use FaceID or TouchID to unlock your phone in front of all the recording devices in the world, and yet still your biometric key won't be stolen.

See how that example comparison is far more interesting and enlightening than "biometrics are usernames, so they're pointless"?

* Of course, when I refer to household locks and keys, I mean your average household lock. There are, of course, premium locks with keys that can't be reproduced. But most houses have locks that you can sneeze on and open.


> And I don't see people complaining about the state of home security...

Home security is a really poor analogy.

* Attacking everybody's house at once is not scalable, unlike attacking many people's electronic devices at once. Furthermore, defending against a SWAT team armed with a search warrant is nigh impossible, no matter what lock you put on your front door.

* The contents of most people's houses is far more weighted to "things which would be a hassle to file with insurance to replace" and less "it would ruin my life if this got into the wrong hands", and their strategy for home defense is weighted as such.

* Many people whose strategy for home defense (well, in the US) is more serious, will weigh more towards weapons / guns and less to the actual locks on the doors. What would a digital equivalent be? A prick of poison for anybody who picks up a phone which doesn't belong to them? The analogy totally breaks down in context.


The analogy is one of defense in depth: if you're serious about security, you can use memorized & typed secondary passwords on secure apps, such as secure notes in 1Password, or an app like https://guardianproject.info/apps/pixelknot/ that would steganographically encode secure notes into otherwise normal photos, potentially with independent passwords for complete deniability.

A locked door and a face-locked iPhone are only the first line of defense, and are largely for convenience's sake in both daily use/as a deterrent and in the case of physically being distant from your property. The "guns" are entirely independent.


I am not a huge fan of Steganography in images. There are far too many services out there which take the liberty of modifying or re-encoding your images to a different format for various reasons.

Is there a lossless medium which can be used for steganography?


If it's lossless, then where do you hide the message? In "comment" sections? Not very well hidden.

How many formats are there where you can intentionally encode something with meaningless characters?


> The contents of most people's houses is far more weighted to "things which would be a hassle to file with insurance to replace" and less "it would ruin my life if this got into the wrong hands", and their strategy for home defense is weighted as such.

Except for, you know, family members.


How do you attack everyone’s physical camera at once? Sure you could attack other implementation details of the device remotely and “at once” — but how is that relevant to the faceid use case?


I believe solatic means that once a method to crack Face ID is found, all devices are suddenly at risk.


Like the dissemination of knowledge about bump keys fifteen years ago, which put a large number of homes suddenly at risk.


Indeed. However it seems likely to me that an attack could be resolved with a software update as the decision to unlock is performed entirely by software (as far as I can tell).

It's a bit harder to upgrade your front door lock in this way.


If I lose my house key I can change the locks and make the old key worthless. How do you change biometric keys once they're compromised?


It sounds like fpgaminer's argument is that biometric keys can't be compromised because of "liveness tests". An argument against would have to rebut this assumption.

My gut instinct tells me that this assumption is absurd, but I lack the specific knowledge of these systems to prove it.


"Liveness tests" will be beaten in the same way Apple created them: with machine learning.


> It sounds like fpgaminer's argument is that biometric keys can't be compromised because of "liveness tests".

You're arrested, and the cops hold the phone up to your face to unlock it. That's a pretty big compromise, and there's literally nothing you can do to prevent it.


The same holds true for physical keys.

If you're arrested then the cops can tie you, grab the keys and unlock your door "and there's literally nothing you can do to prevent it.".

Also some guy can just make a copy your key (pretty trivial) -- heck people can even break your door bypassing the key altogether.


Yes, but the police have to get warrants. If they fail to get a warrant, then it's inadmissable in court.

In the phone case, they don't need a warrant if your authentication method is literally your face.


In the United States, the Supreme Court does not allow warrantless cell phone searches.

https://en.wikipedia.org/wiki/Riley_v._California


The police holds up the phone, pointing towards the suspect:

Detective: "Is this yours?"

_Suspect glances in the direction indicated, phone unlocks._

Detective: "Nevermind, I got it from here."

-----

At least TouchID required physical assault to get you to unlock the phone. FaceID on the other hand can be defeated with perfectly legal attention grabbing techniques.


This doesn't seem to be a valid argument when discussing the police in the United States.

Without a warrant: No information taken from your phone by the police is admissible.

With a warrant: A judge can compel you to unlock any device with a biometric lock, regardless of what sort of biometric lock we are discussing. Fingerprint, iris scan, or face, it simply does not matter.


Warrants aren’t always required. Also, lack of a warrant just means the direct evidence they gather won’t be admissible, but it might lead them to new evidence. Also, it’s not just the police one needs worry about.


Even if an illegal search of your phone led to new evidence, in the US that new evidence would fall under a legal doctrine known as "fruit of a poisonous tree".

Fruit of the poisonous tree is a legal metaphor in the United States used to describe evidence that is obtained illegally.

For example, if a police officer conducted an unconstitutional search of a home and obtained a key to a train station locker, and evidence of a crime came from the locker, that evidence would most likely be excluded under the fruit of the poisonous tree legal doctrine.

https://en.wikipedia.org/wiki/Fruit_of_the_poisonous_tree

Border agents operate under a different set of rules and have been searching mobile devices without a warrant or even probable cause.

However the ACLU and EFF have filed a new lawsuit challenging this behavior, now that the Supreme Court has ruled that the police cannot conduct warrantless searches of cell phones inside the US.


“Parallel construction”


> Without a warrant: No information taken from your phone by the police is admissible.

Doesn't (or can't) law enforcement also use parallel construction (based on information obtained without a warrant)? I believe the point about what's admissible is not as clear cut as you state in a single sentence.


Well, that's usually not the case in the other 96% of the world.

And even there, would this stop a police force who routinely abuses, beats up, or even kills innocent people on the street for no or imagined provocation?


>Yes, but the police have to get warrants. If they fail to get a warrant, then it's inadmissible in court.

Depends on the country. Not everywhere, including western Europe, is this true.


Keys and faces don't really matter. It's a 3-part test. 1. You are a government agent 2. You are on a quest for evidence 3. You are searching in a place where there exists a reasonable expectation of privacy

If all 3 of these are true, you need a warrant (at least in the US). Doesn't matter if the keys, or in this case your face, are right there. The fact that you locked your phone with something the cop doesn't normally have is enough to require a warrant.


Searching through your phone seems like an action that would require a warrant.


Requiring a warrant seems like an action many cops could not care less about nevertheless.

For one, there are tons of loopholes, from border searches to "evidence of criminal activity" (dead easy to "prove" for a black/latino/poor person and have the court agree), and unless you can afford a good lawyer, good luck trying to prove your rights were violated:

https://en.wikipedia.org/wiki/Warrantless_searches_in_the_Un...

http://www.npr.org/2011/05/16/136368744/in-warrantless-searc...

Not to mention that warrants are not that difficult to obtain either -- except in the movies.


> The same holds true for physical keys.

Nobody's saying that home security is good. The point the parent was making is that, even with a "liveness test", compared to other biometric identification, this is a regression from fingerprint-based authentication for the iPhone.


How is it a regression? What kind of scenario exists where the cops can force you to FaceID unlock your phone, but not TouchID unlock it?

You think they can force you to look at it ("engage" with it) but not touch the phone?


Technically I could see FaceID being marginally more secure in one very specific edge case... If you are asleep. With TouchID, all that is needed is to push their finger to the phone. With FaceID, your eyes would need to be open (theoretically, let's see in practice).


Sure, for some people. I'd be surprised if you could unlock my phone with my hand without waking me up (light stomach sleeper).

Honestly, the easiest attack would just be to ask me about my dogs. 99.99% chance I'll unlock my phone, pull up pictures and show them to you (easy grab) or just hand you the phone and let you browse through them.


I’m a very heavy sleeper and a paranoid person, so unless I’m home (which I would be woken before you could get to my phone), I usually disable TouchID by rebooting (or now hitting power button repeatedly).


But with passwords that is not the case.


https://www.theverge.com/2017/8/17/16161758/ios-11-touch-id-...

is how you work around that issue.

Keep in mind, you don't need to refuse to TouchID/FaceID forever, just for the timeout (which I do wish was configurable -- I think one hour is reasonable).


Here's the sequence of events:

1. You're walking, with your phone in your pocket.

2. Suddenly, a cop accosts you. You don't have time to react.

3. They detain and restrain you (with handcuffs or otherwise)

4. They pat you down and find your phone

5. They hold up your phone to your face to unlock it

I know that people who've never been detained or interacted much with cops think that this is a completely unlikely situation, or easily avoidable, but I promise you it is not.

TouchID isn't great from a law enforcement perspective, but it's light years ahead of FaceID.


As someone who has been stopped/questioned/detained before domestically and internationally (as well as at border checkpoints) as well as mugged, I can assure you that touch vs look is pretty much the same (definitively not light years in difference). The solution is to be proactive. If you are going to walk down the street in an at risk area, you hit the power button five times. If you are about to go through a CBP checkpoint, then do the same. When you go to sleep, do the same (admittedly TouchID is more susceptible here than FaceID).

FaceID / TouchID are a "convenience" to be used when you are comfortable with your surroundings. Can you be caught off guard even when you are paranoid? Of course, nothing is ever guaranteed in life, except death and taxes as the saying goes!


> The solution is to be proactive. If you are going to walk down the street in an at risk area, you hit the power button five times. If you are about to go through a CBP checkpoint, then do the same.

You and I have incredibly different experiences of policing and detention if, for you, "be proactive when you're at-risk" is appreciably different from saying "don't use FaceID ever".


Or I guess our detection of risk differs. I have never been detained when I didn't have a "hair on my neck raise" with enough time to disable my phone.

If you are in such high risk situations continuously that "be proactive when you're at-risk" is appreciably the same as "don't use FaceID ever", then I say you are doing something very wrong and not just incidentally being stopped for a suspicion of possibly doing something wrong.

Either way, your experience is definitely not in the 99.9999% of the population which FaceID would be sufficiently safe if it proves to be as secure as Apple implies. For you, let's hope you aren't using a numeric pin code either!


Even for long alphanumeric passcodes, a pipe wrench has a 99.99% effectiveness in passcode discovery, given sufficiently bad actors. https://xkcd.com/538/


However, if police are willing and legally able to do that, then I think basically all phone security goes out the window anyway.

The biometric attacks being discussed here are ones that could quite plausibly be used against you in many/most districts in the US, and be totally legal for the police to use.


Please don’t link to XKCD, especially when it’s been already done multiple times in this thread. It is pretty much the lowest effort comment you can make besides maybe “+1”.


Here's the sequence of events:

1. You're walking, with your phone in your pocket.

2. Suddenly, a cop accosts you. You don't have time to react.

3. They detain and restrain you (with handcuffs or otherwise)

4. They pat you down and find your phone

5. They take your hand and place it on the fingerprint sensor.

Ignoring #2 (and the terrible language you used), I don't see how my scenario is significantly more or less likely than yours.


It doesn't activate unless you look at the lock screen, so you can just refuse to look at it?

https://www.wired.com/story/iphone-x-faceid-security/


> It doesn't activate unless you look at the lock screen, so you can just refuse to look at it?

Have you ever been detained?

As far as I'm concerned, "refuse to look at it" is useful as a prevention tactic as not having any lock at all.


huh... is touchID more useful? Is a PIN more useful?

I'm honestly curious, what's the difference between "I refuse to look at my phone" and "I refuse to enter my PIN" when being detained?


By that metric it is just as useful as "I won't give you my password" and "I won't touch the phone"

https://xkcd.com/538/


[deleted]


The de jure position should, if really established as true, be readily supportable by appropriate citation, so I don't feel much need to extend trust.


I heard in another comment in this thread it has focus detection, so you would have to look at the phone for it to unlock. Can not find any other source of this though.


> Can not find any other source of this though.

It's in the marketing materials for the phone, was mentioned multiple times on stage during the introduction, and is in the introduction to the whitepaper that this entire HN thread is about. So yeah - a couple of sources are available...


It requires you to look at the phone to unlock. Close your eyes or look away and it won't unlock.


> It requires you to look at the phone to unlock. Close your eyes or look away and it won't unlock.

Yeah, I'm going to say that this is an absolutely unrealistic expectation to have of someone who's just gotten detained and is concerned about having the contents of their phone viewed by law enforcement.

"Make sure that you don't open your eyes at any point in the direction where they might be holding your phone" is completely unactionable.


> is completely unactionable.

As is the assumption you won't be forced to touch your finger to the phone. I can assure you, if someone wants into your phone bad enough, they will break your fingers if thats what it takes.


Well there is something, you can close your eyes at least.


You can turn it off.

Or you can apply a threat model and determine whether the people for whom TouchID/FaceID is keeping your phone secure against would have the resources to mount such an attack.


How do you change biometric keys once they're compromised?

You can turn it off.

Is "don't use a lock" really the answer to "my key was stolen"?


I think it's more a case of "use a different lock". That is, use a passcode.


Turning off FaceID isn't "don't use a lock", it's "use a password instead."


You turn it off until it's been confirmed secure again. This is not much different from any security issue in software -- you disable the functionality until it's secure again.

The only risk is if somebody cracks the entire FaceID model and Apple cannot fix it in software. But even then, you would still disable FaceID and either return your phone or wait for a recall.


You can't replace your face. Are you suggesting that people turn it off until it's secure again meaning, like, plastic surgery?


You can't!? Wow, thanks for teaching me that.

Did you even read what I wrote? You would turn off FaceID and revert back to a passcode/passphrase until it is fixed in software.


Until what's fixed in software? Your face being compromised? You can't fix a leaked secret in software.


You are implying that there is a "secret" based on that face mapping that can be copied out of the device and then used to either 1) gain access to a non-Apple system that has some kind of biometric face detection system or 2) can be used to reproduce a face like yours to unlock your phone without you present

From the PDF:

"Once it confirms the presence of an attentive face, the TrueDepth camera projects and reads over 30,000 infrared dots to form a depth map of the face, along with a 2D infrared image. This data is used to create a sequence of 2D images and depth maps, which are digitally signed and sent to the Secure Enclave. To counter both digital and physical spoofs, the TrueDepth camera randomizes the sequence of 2D images and depth map captures, and projects a device-specific random pattern. A portion of the A11 Bionic chip’s neural engine—protected within the Secure Enclave—transforms this data into a mathematical representation and compares that representation to the enrolled facial data. This enrolled facial data is itself a mathematical representation of your face captured across a variety of poses. "

So, it's more like a hash of your face, which is very similar to how TouchID works. So, again, even if someone were able to break into the secure enclave and get that data, what could they do with it? It's a representation of yourself that is used for Apple devices.

Also, this is an OPTIONAL feature. If it doesn't fit your security model, don't use it. For the same reason a lot of people don't use TouchID -- they want the security of a passphrase. But for 90%+ of people that will buy that phone and are not at risk of the government or police pursuing them, the security it offers is more than adequate and it achieves this by not annoying the user and requiring them to have a 50 character passphrase.


Point a similar device at someone's face. Now you have their facial structure. You can open up their iPhone, desolder the FaceID hardware, and feed the leads captured inputs. Boom, phone unlocked. Even if they have some defense against that, you can just 3D print the person's face in a few hours and be done. Easy to write the data down in a less secure database somewhere, too.

This is trivial to do if the person is in custody. You could also profile a specific target and get their face walking past them on the street. You could do this in bulk in a public place.

Now your face is compromised and the person who stole it likely posesses your phone and is unlocking it now. You can't change your face, but it's too late anyway. You live in an oppressive regime, they found out you're gay from what they found in your phone, and you're going to be hanged in a week.


Ignoring the rediculous level of technical sophistication needed...

You can’t ‘get their face’ if they’re ‘walking by’, you have to go through the whole enrollment. How are you going to trick them into that?

Also even if they go through some Herculean process to get your ‘face hash’ Apple could simply change the hash algorithm and reset it. For all we know different phones will use a different per-device random seed in the algorithm and that attack wouldn’t work at all even if the algorithm isn’t changed.

Again, you’re talking about getting a fully accurate 3D model of someone’s face that passes the FaceID tests and can be used to trick the attention sensors. That’s an INSANE level of effort for Joe random.

This is not a realistic attack, and FaceID is not designed to secure anyone at any time from any government with unlimited funds and resources. It’s designed to be better than the trivial passcodes that almost no one used.


First of all, it’s pretty clear from the whitepaper that the sensor and the Secure Enclave speak over an encrypted channel - you’re not going to be able to inject valid data.

Second, the point of using an IR image (in addition to the depth image) is that a simple 3D print is not going to provide valid spoofing - it will not match the IR absorption profile of a live face. Additionally, they are also likely testing for liveness by looking for changes from image to image, even if it’s just saccades of the eyes.

Third, Apple implies that they are taking a sequence of images. They can, for example, look for changes in IR images associated with blood flow correlated with your heartbeat, which prove you are alive and may be distinguishing from individual to individual. The secure enclave could also request specific changes in the images that can’t be predicted in advance, thus foiling attempts at feeding in canned images.

In short, I don’t think it’s anywhere near as simple as you propose.


Reading the linked PDF:

> To counter both digital and physical spoofs, the TrueDepth camera randomizes the sequence of 2D images and depth map captures, and projects a device-specific random pattern.

and

> An additional neural network that’s trained to spot and resist spoofing defends against attempts to unlock your phone with photos or masks.

It's effectiveness is yet to be seen, but the implementation details counter all the points you made.


I just honestly don't believe it could be effective. The randomized pattern could be detected with an infared camera, and neural nets are easily fooled.


If it’s anything like TouchID, the sensor authenticates itself to the secure enclave with a unique private key burned into ROM. Any data not signed by this key (possibly even countersigned with a real-time code from the secure enclave to prevent replay attacks) will be rejected. Just ask anyone who replaced their home button on an iPhone with TouchID.


Actually, no. When you first power on an iPhone, you need the passphrase, not the FaceID. So swapping hardware does you no good unless you also have the passphrase/passcode.

Either way, let's say this attack you're talking about is possible. What % of people that buy this phone are actually going to be at risk of someone taking their phone apart to compromise them in this way? This method you explained is in no way "trivial." If you're Edward Snowden, don't use this feature. Simple as that. But I wouldn't use TouchID if I was Snowden either.

Judging by your last paragraph, though, I'm guessing you're trolling. Have a nice day.


>Actually, no. When you first power on an iPhone, you need the passphrase, not the FaceID. So swapping hardware does you no good unless you also have the passphrase/passcode.

You don't need to shut off the phone to get into the hardware.

>What % of people that buy this phone are actually going to be at risk of someone taking their phone apart to compromise them in this way? This method you explained is in no way "trivial."

On the other hand, I bet a company could easily implement such an attack on the cheap and sell it to LE, who would just pass the costs on to the defendant.

>Judging by your last paragraph, though, I'm guessing you're trolling. Have a nice day.

I'm setting the stakes. If you're not up for the discussion that's up to you.


> You don't need to shut off the phone to get into the hardware.

Do you mean row hammer [1] or cold boot attack [2]?

[1] https://en.wikipedia.org/wiki/Row_hammer

[2] https://en.wikipedia.org/wiki/Cold_boot_attack


Uh, neither? I don't think you understand the problem.


> You don't need to shut off the phone to get into the hardware.

I'm genuinely curious if this has been done before and if you can provide examples.


I don't have anything handy, I'm afraid, but the idea is sound from an electronics perspective. Definitely raises the implementation cost of this attack, though.


TouchID can be easily tricked. From december of 2014 at CCC: [1]

Its not merely secret service who can do this. Criminals can do it as well. The easy part of it? Your fingerprint is left all over your device. Including likely the one you authenticate with. If its your index finger of your primary hand, its bingo.

A fake 2G cell tower costs 250 EUR on the black market. That's also a bad way to use TOTP. However, 15 years ago those devices were either not sold or still very expensive. That's a different threat model.

FaceID is going to be hacked eventually (the question is when, not if), perhaps in the way you described. Until then it is reasonably good to keep criminals who steal your device at bay. Its also worth it to audit it (try to break it, e.g. in the way you described). State agencies, unlikely to keep those at bay with FaceID, given they can force you to authenticate. Criminals who mug you by force may also be able to force you to remove FaceID, but they may also compel you to give away your PIN. Government has already made devices to bruteforce PINs; we should've swapped to passwords ages ago.

[1] https://media.ccc.de/v/31c3_-_6450_-_de_-_saal_1_-_201412272...


> TouchID can be easily tricked. From december of 2014 at CCC: [1]

While I am sure it is not impossible, nobody has been able to provably "trick" the current-generation Touch ID sensor. Only demonstrated on the first revision (found in the iPhone 5s, and possibly the iPhone 6 too).


Tell apple they can only recognize your face if it shows a certain expression


https://danielmiessler.com/blog/why-biometric-data-breaches-...

I submitted this earlier today but it didn’t get traction.

Basically it could be done.


But your argument makes no sense. The attack isn't "someone stole the processed image ("stick figure") of my fingerprint", the attack is someone copied my fingerprint.


That’s TouchID. Can they reasonably steal a full perfect 3D map of your face that can pass the attention checks and whatever FaceID uses to determine its you?

The fingerprint argument isn’t an argument against FaceID. And it’s still kind of pointless because Apple put out figures a few years ago that TouchID lead to a ~50% INCREASE in locked phones.

You seem to be arguing that a secure passcode without biometrics is better. It seems that if the public can’t use biometrics they prefer NO security. So even with that ‘flaw’ it’s no worse (often MICH better) for everyone.


Oh, no, I absolutely agree that biometrics overall increase security for everyone. My argument is entirely a pedantic one. FaceID is clearly an improvement precisely because it makes stealing your "original" biometrics much more difficult.


But that’s all we’ve seen in EVERY thread about FaceID.

“Biometrics are evil because you can’t change them.” Or “They’re usernames/passwords/whatever.” Or “FaceID can be subverted by a nation state with 3 years and $75 trillion”. Or “You can just unlock it with a single picture from Twitter.”

And of course “If only they added an esoteric and complex method of unlocking a fake environment under duress by winking the word tomato backward in French Morse code...”

None of it seems helpful. Using a FaceID discussion to argue TouchID is insecure... seems pointless. The arguments about how it can be bypassed (supposedly) with JUST a 3D printer and thousands of high resolution photos and a video of you looking into a camera and........ come on. This stuff would be unbelievable in an Oceans 11 sequel.

And people argue as if FaceID has to be perfect when it replaces a fingerprint (which is easier to fake) or basically nothing. We’re not securing the Crown Jewels here. We’re trying to keep the guy next to you at the bar from tweeting as you.

So in the end there is no useful on top discussion. It’s just a irrelevant story that people can use to tell about their pet biometric issues even when they don’t fit.

People are still arguing about things Apple said during the initial keynote. The only one I don’t see from before is the ‘will it work in the dark’ question which Apple explicitly mentioned in the keynote.

I want to know more about FaceID from people who know more about security. Instead we’re discussing how the technology it replaced is bad and fringe internet conspiracy theory level nonsense.

Edit to add one more thing: maybe this is rose colored glasses but I don’t remember the threads around TouchID being anywhere near this bad. People argued over how easy it was to get a fingerprint, sure. That’s fair. But the rest of the discussion seemed much more relevant.


"Can they reasonably steal a full perfect 3D map of your face that can pass the attention checks and whatever FaceID uses to determine its you?"

Plenty of phones and cameras have 3D capability. That kind of tech is already being used in cosmetology courses to 3D print a model of your own face and hair for hairstyling practice. It wouldn't be that difficult to make a warm 3D mask to fool the infrared camera and sensors.


But how close do you have to get to use that 3D capability? And is its resolution as good or better than what Apple is using?

I mean sure you can knock someone out and use a handheld 3D scanner to get a whole bunch of good shots of them but that’s hardly someone walking down the street and you getting a quick grab of their face.

My point isn’t that it’s impossible it’s that it’s not feasible for any normal person or group without a large and noticeable undertaking. These are not reasonable threat models for normal people.


"But how close do you have to get to use that 3D capability?"

With a Lytro camera you could do it from just about any distance.

"but that’s hardly someone walking down the street and you getting a quick grab of their face."

All you have to do is even look remotely interested in your phone and pretend you're not taking a picture - boom info gotten surreptitiously. That's assuming the other person you're copying biometrics from is even paying attention - odds are they're probably too focused on their own phone to notice.


I think you are oversimplifying. The IR camera isn’t detecting “warm” (it’s not a FLIR camera), it’s detecting color in the IR range, which is going to be extremely characteristic of a face. In addition, a mask may copy appearance, but it’s not going to copy physical shape in detail. Finally, the channel between the sensor and secure enclave is likely encrypted and/or authenticated, so you can’t just inject any depth image.


"it’s detecting color in the IR range,"

A very narrow bandwidth of IR thanks to what we term the "Infrared Window," which is trivially easy to duplicate or fool, as it's one of the same IR bands used for surface mineralogy done via satellite.

I'm really not oversimplifying at all; I am applying knowledge in fields in which I am competent to say "You think it can't be that easy, here's how easy it can really be."


Very important point (re: house key analogy).

Houses and cars are 1000% not secure, you can always break a window and get access. That's why they have ARMORED cars and bank VAULTS or safes.

However, if you break a window, or drill a hole in a safe, there is "visible sign of forced entry".

https://en.wikipedia.org/wiki/Forcible_entry

When you see a broken window by your front door, when you see a broken window on your car, when you see a hole cut through sheetrock next to your door, or you see your door blasted off it's hinges, you know that the security of the device has been compromised.

That's truly what's missing on device security nowadays: "Signs of Forced Entry" ... number of incorrect password attempts, number of incorrect FaceID / TouchID attempts, etc.

And if your device is rooted or untrusted, then there's often not a good, trusted, visible way to see that security has been actually compromised (as opposed to attempted to be compromised).


You raise very good points, but it's not like there aren't ways to break into a house without signs of forced entry.

To my mind, privacy is often the most important difference. There are a lot more private things on my phone than in my house, honestly -- a phone these days is often almost an extension of the mind. Which is why we should hold it to a higher standard.

I personally have no problems with TouchID/FaceID, I think the secure enclave is great, but I still think there's a lot of room for improvement, better sandboxing of data, better tripwires for when data is accessed/transferred, etc.


It all depends on your threat model. Police are perfectly capable of breaking into my home, but it doesn't matter, because if they do it without a warrant everything they find is inadmissible in court. Whereas with FaceID, if I'm arrested and they point my phone at my face to unlock it against my will, anything they find is now admissible as evidence.


Two questions:

How often do you get arrested where that edge case is a legitimate concern?

If being arrested were a legitimate concern, why would you keep data on your phone that would implicate you in a crime?

If you were in a higher risk group (i.e. a drug dealer,) why not disable Face ID? Use a six digit pin and be done with it.

I am not particularly worried about cops, I am worried about losing my phone and having some jackass using my data to fill his bank account.


I and others I know have faced this problem often enough that it is a primary concern for me.

Political dissidents are the group I'm concerned about. Police are very interested in extracting contact lists from activists' phones in order to build a model of their social networks and infiltrate/disrupt them. This is a pervasive problem.

Yes, the answer is to get people to turn off FaceID if they're at risk, but educating large groups of at-risk people is hard, and it would be better if this feature were not turned on by default.


Apple’s studies/metrics showed that basically no one (5-10%?) used passwords or pins before TouchID.

You already have to educate them to use a password, is it that hard to say ‘and don’t use biometrics either’?


No, now you have an additional problem, because they might ignore the advice to use a password now that they think their device is secure by default


Would they? The only data we have says that even though people should secure things they don’t. Is it really going to be that different for people who have a REALLY good reason? I kind of doubt it.

And does it matter? If a government wants to repress they’ll do it. They’ll beat you or harass you or something like that.

“Well we think you’re trying to overthrow us but FaceID is turned off on your phone. I guess we’ll give up today. You’re free to go, have a nice time. ”


If you don’t know a passcode is required for touchID/FaceID, you don’t know enough about the topic to comment.


You have to use a passcode to enable FaceID.


I keep hoping that FaceID will also get FacePassword, where you have to show one or more expressions in order. Then it becomes a password, and the police can't force you to change your expression.


Or better yet. Permanent lock or deletion of data if you perform a sequence of facial features you can set. Blink blink smile nod blink


That's a pretty fantastic idea. I think even courts will find that the government can't compel you to change your face expression, as they tend to do that for anything the government can't physically force you to do anyway. For instance, they say the government forcing you to unlock with your fingerprint is legal, because the government's agents can use force to put your finger on the phone anyway. So it's legal. But the government can't force you to "remember" your password. So trying to do that is illegal.


Oh no, they can compel you to enter your password. By which I mean, if you don’t enter it, they can hold you in contempt of court indefinitely (possibly even for longer than you would be held if you submitted to the search and were found guilty based on the evidence and received the maximum sentence).


To the extent the police can legally compel you to provide access to a device, the means by which that access is protected does not impede their legal capability to do it and impose consequences for non-compliance.


That's the thing -- the police can't legally compel you to provide them access to your device, but if they can get it without you having to give them anything, by, say, pointing the phone at your face, it's fair game. I don't have time to look up the court precedents about this, but that's my understanding of the current state of the law.


> the police can't legally compel you to provide them access to your device

Your understanding of the current state of the law is very wrong.

There's a person in the US [0] who has been in jail for multiple years now without being tried / convicted due to refusing to provide access to their devices.

There's another case with a warrant[1] allowing an officer to force someone to unlock their phone protected by TouchID.

I have also heard multiple US states have enacted laws specifically addressing device unlock, but I don't have links to them at the moment.

[0] https://arstechnica.com/tech-policy/2017/08/man-in-jail-2-ye...

[1] http://files.cloudprivacy.net/la-iphone-fingerprint-warrant....


I don't think "very wrong" is a fair assesment. Here's a summary of current law (as of 2016) concerning cell phone passwords: https://consumerist.com/2016/05/03/can-law-enforcement-force...


> the police can't legally compel you

That is a very wrong statement. I don’t care if things changed a year or more ago, it doesn’t make it any less wrong now. I of course meant no offense to you, but legal statements which are wrong could easily mislead someone and the emphasis is necessary. Apologies if offense was taken!


I misread the upthread comment as implying that FaceID “passwords” were more legally secure than regular passwords, not just more legally secure than plain FaceID.

I agree that the description you provide is generally correct.


There is a way to quickly disable face id, presumably you would do so in most situations when facing police.


There's also a way to break in your house whilst you're gone or asleep. In the former case, if the device is in your house, would you've disabled FaceID? In the latter case, would you've disabled FaceID? Would you've disabled FaceID when you were going outside (with your device) and you'd be busted then? Answer in all these cases: Of course not.

So a PIN alone would've been more secure. It'd have cost the government more effort to crack. A strong password or TOTP would've been a better solution. Pref. 2FA w/both.

You could use FaceID as 2FA, but then people need to keep in mind that its a very weak chain in the 2FA. They still need a strong other factor ie. a strong password.


That doesn't really make sense. If they take your phone while you're gone or asleep, FaceID is worthless to the attacker anyways because they'd either not be attentive or they wouldn't have your face at all. On top of that, FaceID disables itself and requires a passcode after 4 hours of no detection or 48 hours of continuous time that the phone hasn't been unlocked. Either way, you'd be covered. The only situation where this is actually an issue is where you're being compelled, on the spot, to unlock your phone and you haven't had the time to click the side buttons (which would be very rare since it would just require you to squeeze both sides and you'd have the chance to do that while performing the action of handing your phone over).


> On top of that, FaceID disables itself and requires a passcode after 4 hours of no detection or 48 hours of continuous time that the phone hasn't been unlocked.

You know how and where Ross Anderson was busted?

This is peanuts to beat. You bust the target whilst they're on a dinner having a drink, or right after they went asleep. The government knows your current position, and knows when you're asleep. Once this has become the status quo, rest assured cops with a police warrant wouldn't enter anymore at 6 AM right before you wake up but at 1 AM right after you went asleep (but before your FaceID would time out).

> (which would be very rare since it would just require you to squeeze both sides and you'd have the chance to do that while performing the action of handing your phone over).

Law enforcement will adapt very quickly to that if this becomes the status quo. They'll first and foremost bust your hands, so that you are unable to lock your phone. Then they hold the phone before you and voila, unlocked.


If you have anything on your phone that's valuable / incendiary enough that the government is willing to SWAT you to get at it... don't use goddamn biometrics.

In encryption terms, logging in with biometrics is "vs. kid sister" security, not "vs. major government" security.


With any sort of password or authentication, you can just wait for the person to take out their phone and start using it, and then grab it from them. Not exactly difficult. If you are so concerned about security that you think there is a good chance someone is going to physically attack you to get into your phone, you should just assume someone will get into your phone eventually, and don't keep any sensitive data on it. For the other 99.9999% of the population, face id is good enough.


The problem with phone security nowadays isn't merely the data people have on the phones, its the data people have in the cloud as well with passwords being saved on the device.

> If you are so concerned about security that you think there is a good chance someone is going to physically attack you to get into your phone, you should just assume someone will get into your phone eventually, and don't keep any sensitive data on it. For the other 99.9999% of the population, face id is good enough.

I don't understand this statistic. Are you arguing 99.9999% of all phones aren't a potential target of being stolen? Are you arguing 99.9999% of all people's data isn't interesting to authorities? You're being overly optimistic about FaceID.


> I don't understand this statistic. Are you arguing 99.9999% of all phones aren't a potential target of being stolen? Are you arguing 99.9999% of all people's data isn't interesting to authorities? You're being overly optimistic about FaceID.

No, I'm saying that, for effectively everyone, there are way easier ways to get into their phone than through FaceID, for example by just taking their phone while they are using it. So for effectively everyone, FaceID will not change their security risk, because there is no motivation for anyone to try and bypass their FaceID when there are easier attack vectors - especially when you are able to disable FaceID the second you feel you are being threatened.


That isn't taking into account how frequent relative to all such target objects an attack occurs. If a (much?) smaller percentage of houses get burglarized vs. number of phones broken into, then security requirements are not really comparable. (Note that I have zero idea of or even guess for the sizes of either, though.)


> Even with the worst biometrics, your phone would be more secure than 99% of houses. And I don't see people complaining about the state of home security...

1. Many (most?) people have more private information on their phones than they do in their house, and there is different risks of each being compromised, so there should be different standards.

2. My impression of the security community is that pretty much everyone uniformly agrees that home security is garbage and needs to be improved.


I have a house with a standard lock. A couple years ago someone decided to kick the front door in while I was at work. We have shitty house locks because the entire system is terribly insecure and strengthening one link in the chain is pointless.


Physical locks just keep honest people honest.

Also, OP says you can't lose your biometrics. You can, it's just painful and you'll not be the least bit happy about it.


There are better doors out there:

https://www.youtube.com/watch?v=Bk48kU6fGWc


The thing is I'm not really too concerned about my home's physical security (I lock the door, but the entire attack surface area is too large for my risk profile to lock it down extensively). If the cops want to search my house, they can kick the door in. If a thief wants to take something they can break a window. If a fraudster wants to trick my landlord into letting them in they could do so. As a result truly important property and information is fully secured using passcodes and pin numbers.


Its more nuanced than you put it with physical keys.

Consider for a moment the baklava [1]. A baklava increases anonymity of an attacker (ie. burglar in our discussion), but also increases suspiciousness of victims and 3rd parties (ie. innocent bystanders, witnesses).

Physical burglary has many of these nuances, trade-offs.

A key on a front door is meant to keep an attacker out for as long as they get caught and/or identified, or become afraid they get caught and/or identified. It isn't meant to stop an attacker to enter a house. If an attacker wants to enter your house, they can just break in via a window. Various techniques exist for that, some are noisy, others are more sophisticated and aren't noisy.

Someone who's trying to enter via a window by night though is suspicious which means the attacker might be noticed and get caught. Most normal house keys [at least here in NL] are very cheap and have a lot of vulnerabilities, they have weak entropy (e.g. 6 entries with 6 options each), or are vulnerable via lock bumping (takes max 10 sec to enter and doesn't look very suspicious).

With electronic devices, its more binary, but it depends a lot on whom you're defending against. Petty criminals, technical criminals, or state actors.

> This is in contrast to passwords and pincodes, which can be stolen by eyeballs, cameras, audio recording devices, etc.

Yes, passwords can be stolen by eyeballs and cameras and Van Eck phreaking (TEMPEST). However if combined with TOTP it becomes something you have and something you know. Facial recognition is just a form of something you have, and the key cannot be changed.

They key can be put off, but that is not more secure than having TOTP on your watch (with yes/no button) and being able to disable the authentication method on your phone by pressing the power button 5 times.

Liveness is just obscurity. Its gonna be insecure at some point, and you'll be begging Apple for a newer, more secure solution at that point. Pray they still support your advice by then.

[1] Yes, thank you, balaclava (bivakmuts in my primary language). I have difficulty pronouncing and remembering the word. I'll keep it as-is for readability of the discussion, and for admitting my mistake.


Note - I think you mean balaclava. Baklava is a delicious Greek dessert.


So basically you are saying that a bad biometric that would allow someone to use a face mask and walk into your home easily would still be better than 99% of house keys?


The username is the face, the password is the pattern of blinking or a unique expression the user displays to the camera.


You can refuse to give out a password or claim you forgot, but with biometrics there is not much of an option.


My twin can't use his house key to get into my house.


This is farcical.


The problem with biometrics is not username vs password, biometrics are password. The problem is that these are client-side protections, and there's no data sent to a server that can verify the identity.

And you can't build a remote identity verification with this data, because there's no way for the user to change it and revoke it (let alone it's very privacy sensitive).

The biometric access control systems (the one "in the movies", palm recognition, retina scanners...) implicitly assume that the connection between the sensor and the central server is secure, and that the user authorized it's data to be in the database. This model doesn't apply to "general users" and "internet companies".

Research in biometric security aims at finding functions of your biometric data that can be revoked and it's not privacy sensitive.

Edit: with "revoke" I don't mean remove it. I mean revoke one and set another one, like you can do for a password/pin, or for a phone number/hw device.


> biometrics are password

Tell that to virtually all the governments around the world, who are now building databases of everyone's fingerprints, from "needing them" for passports to national IDs.

Also that is the problem, because those biometric signatures can be hacked. It's way harder to hack into 1 billion devices to steal everyone's biometric signature. That is a feature not a problem.


> The problem with biometrics is not username vs password, biometrics are password.

Yes, that is the problem. No, biometrics are not password. Please stop spouting this nonsense? Biometrics are akin to username; they suggest your identity, but don't authenticate you. They should not be used as password because they cannot be changed, and cannot be kept secret. A password (or better, TOTP authentication) can be changed, and can be kept secret; a hardware fingerprint scanner (or face or iris scanner) cannot be changed, and can be faked by any semi-intelligent person or organization. Fingerprint can already be stolen and used in identity theft. We saw this various years ago in CCC when a German minister got his/her fingerprints stolen as a way to prove the insecurity. It is only a matter of time when the common people learn about how to trick face recognition and iris recognition. In the meantime, strong passwords and (preferably) TOTP is secure. Use that instead.

> Research in biometric security aims at finding functions of your biometric data that can be revoked and it's not privacy sensitive.

Cat and mouse game, and wrong premise: biometrics cannot be revoked. They're permanent.


That's not entirely true either, though. Biometrics cannot be revoked but they don't need to be. Biometrics are just using your face/finger/etc to provide a basis for which to verify identity. If someone is able to fraudulently unlock FaceID on a consistent basis, then Apple just needs to change what information is being generated or secured. Infrared cameras and dot projection offer so many different variations of how that information can be used that the only way someone could break the security permanently would be to make a copy of your face 100%. Just because a specific infrared dot pattern of your face is copied doesn't mean that every dot pattern or feature of your face is useless. Maybe the next iteration of FaceID will also count the pores on your face or the number of hairs. A fingerprint/face cannot be revoked but the method of detection/recognition can be both revoked and changed.


You only read the first sentence and not the rest it seems. I said exactly that, that you can't use biometrics for an identification protocol.

I still disagree on the username. You know my username here and on twitter, you don't know my fingerprint. And no, you can't repro my fingerprint so easily as you think because "fingerprint reader" is a short for a sophisticated piece of hardware that measures other things, e.g. blood pressure.

On the research, I didn't say biometrics can be revoked. I said you can build a function of biometrics info, whose result can be revoked [1]. No one is disagreeing with your premises, but this doesn't mean that the problem has no solutions.

[1] https://scholar.google.com/scholar?hl=en&as_sdt=0,5&q=revoca...


> your biometrics can't be easily stolen, and you can't lose them.

Fingerprints are very different from face. Someone has to actually follow you around and clone your fingerprint from something you touched.

With facial unlock, as virtually all previous systems have demonstrated, you usually only need someone's online photo, or a close variation of that to unlock a device/system that uses face unlock.

With everyone plastering their photos in high resolution all over the web these days, and with machine learning advancing so fast these days, how long until a system like this is defeated?

Do you really think "3D photos" of you can't be created? Or even ones that test for "liveness". What exactly do you think that "liveness test" is? It's just an algorithm that Apple uses. That algorithm can be reverse-engineered.

Also, Apple's Face ID has a False Acceptance Rate of 1 million versus TouchID "only" 50,000, is very misleading. That metric only works when you think of an attacker throwing completely random faces at the system. Do you think an attacker that wants your phone is going to throw random faces at the device? Or do you think it's far more likely that it will start building that 3D profile out of your high-resolution online photos?

Suddenly that 1 million FAR becomes much smaller, as the difference in profile from what the attacker has already gathered on you from public websites is much smaller than how you look like in real life.

This is what may actually make the Face ID system less secure overall than TouchID. It's just way way easier to get someone's pictures than it is to get their fingerprints.


> Do you really think "3D photos" of you can't be created? Or even ones that test for "liveness". What exactly do you think that "liveness test" is? It's just an algorithm that Apple uses. That algorithm can be reverse-engineered.

I believe it was doing infrared detection.


I still wish it had an "unlock under duress" mode, where you could authenticate with a subtle difference (different gaze, alternate passcode, etc). The phone would unlock itself but then signal back to the mothership, cloud services and even apps that it's in "duress mode". Display in that mode should look totally normal, just some of the information missing (e.g. emails/messages/contacts from certain groups of contacts flagged as "withhold from duress mode"). This could help mitigate physical danger while preseving some of our critical information.

It's akin to having multiple wallets when visiting high-theft areas. Get held up by an armed thief and give them the cash in the visible wallet, while holding back what's hidden in another location.


> I still wish it had an "unlock under duress" mode

The practical applications of this are close to nil.

The government will not be fooled for one second because they can cross reference enough sources to know if you are lying. All this will do is get you slapped with a felony:

https://www.popehat.com/2011/03/18/just-a-friendly-reminder-...

If it is a criminal instead, well, they don't have to tiptoe around moral, ethical or legal concerns. They already have a gun pointed at your head. You act funny, you get shot. Do you want to risk a bullet in your head?

I fail to see the advantage of this mode. Ultimately it will only get you into more trouble.


In addition to this, don't keep private (and certainly not illegal) data on a compute device that you walk around with. Maybe, just maybe, treat that device as compromised from the start and treat it accordingly.

The idea of using them as secure devices should probably stop, at least until they are actually secure. Moreover, if you're committing crimes, maybe don't record them in a way that is recoverable. Not that you should necessarily be a criminal but, if you're going to be a criminal, you should probably be a safe criminal.

Don't text me saying you need a G for the yayo. The cops know what that means.


Why carry a smartphone then? Current tech doesn't allow for regular users to secure their data in this fashion. I mean you'd have to completely log out of something like Dropbox even if you managed to keep your data remote.


There are plenty of uses that don't require you to give them as much trust as people do. I'd never suggest banking on a smartphone, but people do. I'd use a separate email, just for the smartphone. I'd not store medical data on there. I'd not put private data on there.

That doesn't mean they are useless, just that I consider them compromised right out of the box. I treat it accordingly and will recommend others do the same until they are much more secure.

They are great for lots of things. Privacy and security are not among those things.


That sounds like a cool feature, but probably applicable to 0.0001% of the population. Think of all the work app developers would need to do to make their app "duress compatible" in the very rare chance someone is being held at gunpoint and the person is asking to see their emails.


Not to mention incredibly difficult to pull off. It isn't like having two passwords, one distress password and one normal. An algorithm that needs to identify your face in any situation AND detect subtle characteristics? I don't see that being a reality with our current technology. Or at least without significant false positives. Though a two password feature would be nice and easy to implement.


It could be something as simple as having one eye closed when under duress(sorry, monoculars!). It only takes one unlock attempt to then lock it down. Bonus with this is that LE couldn't hold the phone up to your face while you are sleeping to unlock it.


I see two problems with that. 1) Everyone now knows that the duress signal is one eye 2) people with one eye (or at least as far as the algorithm is concerned) cannot use the service. Which say, you got beat up and one eye was swelling you might accidentally set it into duress mode, when you need the full mode and you bypass the password override.

I just think that a duress mode with facial recognition (that also has to account for eye-wear, makeup, and various environmental changes) is going to have a difficult time creating a duress mode. Whereas a dual password system is easy to implement.


I think the point was that the user would get to choose what their duress trigger would be. For some it would be one eye, for others a tongue, for still others it might be a swipe on the phone or 3 taps and a swipe...


I think with current technology that'd make the training prohibitive unless you boiled it down to a few options. Which would still likely result in false positives. I mean, this stuff isn't magic.

OR you could use the face as a username, as many suggest, and a short 4 pin password. You could easily have a duress password option (which as far as I know doesn't exist), still quickly log in, AND have fairly good security.


Why wouldn't you just make it via a separate password... simply force your device into password unlock mode (no faceID/touchID). enter the duress password.


I thought the point of a duress password was to be covert. Plus, someone can still force the real unlock just by holding the phone to your face. I'm still under the impression that you'd need the face to be a username and two passwords.


How did you arrive at the "0.0001%" figure? Of what population is that a percentage?

I strongly dislike this kind of waving away an important feature request. These days anybody crossing the border of the USA could be asked to unlock their phone. I'd say that's at least a larger percentage of the "population" (whatever population you meant) than "0.0001%".


> I strongly dislike this kind of waiving away an important feature request

I could easily say I dislike people making up rediculous corner cases and demanding new technology be designed for it and being deployed.

Are there any authorization methods on any kind of mainstream devices that provide that capability?

I tend to agree that it’s not actually useful and would be incredible hard to implement, all for a case where most people will just give in to avoid harm and forget the option, if it’s even on, exists so they can’t activate it.


Are you saying that I shouldn't be able to snap my fingers three times to call 911? What if I'm handcuffed?


The 0.0001% was obviously a facetious figure. Meant to convey the fact that a duress feature whereby you cross your eyes while using FaceID to "alert the mothership" as OP said, is an extreme corner case.

As another commentor said, you can't expect Apple (or any manufacturer) to build all these extreme corner cases. If you don't want to unlock your phone at the border, put it in your checked luggage or ship it to your hotel/destination.

If you still think that Apple should build something like this because it's important and serves a non zero % of the population... I'd also like Apple to build...

1. FaceID that will tell me when I have something in my teeth

2. FaceID that will tell me when my hair is messy

3. an iPhone that listens to my voice and detect when I might be sick and orders cough syrup

4. an iPhone accelerometer that detects when I am limping and books a physio appointment

5. an iPhone camera that can detect when someone is watching me in the distance

6. an iPhone that will passively listen for gunfire and tell me to seek cover.

See how feature requests can get out of control.


If the phone allowed multiple users that might be one way to do it. Just log in to another user.


Yes, allow the users to create multiple accounts and also allow them to encrypt and hide those other accounts.

This should also be available to fingerprint readers, as the suggest "gesture" would be even easier: just use a different fingerprint (you can set the fingerprint that everyone expects you to use as the "other fingerprint", and use some other fingerprint as your default one).

It should also work with passwords, etc.


Xiaomi's MIUI has this feature, you can use different fingerprints to directly enter a "2nd Home" or something where all apps / data is segregated. It's not really designed to be too stealthy though as there's ways to switch back to the regular homescreen.


Or use all that machine learning to fake a normal user profile…


They wouldn't have to do any work. It'd be an OS level implementation. In the same way that you can customize what apps receive/show notifications, you could choose which apps are sandboxed in the "duress" mode. Anything outside of that would be optional security for developers to implement.


Just say "its to fight terrorism" and everyone will have it. It'll be required by law soon there after.


Huawei phones have this feature, alternate passcode or finger print will enter guest mode, but screen will not show any word Guest. When setting it up, mark folders, apps, things as private, and they will simply disappear from phone. Although the installation folders on SD card will not disappear.


Some fingerprint access systems have this feature, where you scan a specific finger as your duress finger. If you use that finger it triggers duress mode, which can be configured as an alarm, silent alarm a simple log event or anything.


This sounds like a cool idea, but I don't think it would work in practice.

The would-be thief, assuming he knows about the "duress mode" (which isn't a bold assumption considering the large black market for stolen iPhones), would recognize that you've logged in to something strange, that doesn't show any useful data. They'd just pull back the hammer on their pistol and tell you to try again.


It could just log in to a 2nd account... then you could go in and create files, install apps, etc.


>I still wish it had an "unlock under duress" mode

I has something else: Don't unlock under duress. You press one of the buttons five times, and the police or a robber can't use your biometrics to unlock it.

It's not the same thing as what you're looking for, but interesting still.


Well, I understand that I kinda have to trust Apple but given Apple have my decrypted contents, shouldn't flagging something as highly sensitive be considered a bad move?

There are circumstances that Apple are obliged to provide with law enforcement what they have, and can't tell you that they provided it.

Having said that, nothing beats an unsynced phone with a long password. No faceId, no AI recognition, no iris, no fingerprint. Just a good old long password.


> given Apple have my decrypted contents

Where exactly is Apple storing the entire content of your iOS device unencrypted? Hint - they're not...

[1] https://support.apple.com/en-us/HT202303


Love this idea. And doing it with your face allows much easier plausible deniability over something with your hands/touchID.


Good document, but I was really hoping they’d go deeper into how they tested some of the fraud detection stuff (masks, etc) or give us some statistics on the twin/family member issue.


It mentions infrared picture. Masks probably have a different infrared signature.

But so does your face if it's been wearing a balaclava in the cold (some parts will be cold and some will be warm...


Just guessing here, but veins and blood flow are visible in infra red [1]. A color camera can also measure pulse using small color variations.

[1] https://software.intel.com/en-us/articles/pulse-detection-wi...


Apple wants this to work in total darkness. So color wouldn’t work. Do we know if they’re projecting IR light (besides the dot pattern) that they could use to look for blood vessels?


Yes. The iPhone X has something literally called the "Flood illuminator" which projects IR light. This is one of the many reasons FaceID is not reactively available to previous iPhones via a software update.

> The flood illuminator produces infrared (IR) light, part of the electromagnetic spectrum that's invisible to the naked eye, to illuminate your face;

https://www.forbes.com/sites/jvchamary/2017/09/16/how-face-i...


Oh you’re right, I somehow missed that. Well that makes things more interesting doesn’t it.

I guess that leads back to my question (in another comment) about whether or not face paint would effect it.


I seriously doubt they’re using actual infrared emissions (as in heat measurements), I imagine it’s just used as a simple B&W camera so they don’t need visible light.


Since I’ve been downvoted and I can no longer edit, let me try to explain my theory:

I’m guessing they only use the camera to read the positions of the dots projected onto the face. I don’t think they care about the ‘color’ of the face or how hot it is thermally.

They’ve said they’re projecting the infrared dots? Have they said they’re doing any other kind of infrared illumination like the kind that can show blood vessels?

I’m curious to see if face paint (assuming it reflects IR to a reasonable degree) interferes with FaceID. If it does they’re using more than just the dots for geometry. On the other hand if it doesn’t then the can’t be paying attention to things like IR emissions from the skin since it would be covered and thus heavily dampened.

Right?


It was brought to my attention in another comment that they do have an IR light to illuminate the face besides the dots.

Now I’m even more curious about the face paint.


Questions:

* Does one explicitly set up their FaceID with the option to skip, like how TouchID works currently? I see (when...enabled) verbiage, which is a good sign.

* "The probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID)" If you have a face that causes most people you meet to say "oh, you look like X, Y, or Z", is this probability reduced? Other comments noted Twins. This isn't meant to be humorous or tongue-and-cheek, there could be a precedent that people of certain appearances are easily spoofed.

* "To avoid a user having to reenroll to Face ID when these neural network changes are made, iPhone X will be able to automatically run stored enrollment images through the updated neural network."

I guess a layperson would see the words "automatically" and relax, but this leaves more to be desired in explaining the "Secure Enclave" to me. The Name "Secure Enclave" almost sounded like remote storage until I read that the data never leaves the device.

Thanks for the downvotes for questions!

[0] http://www.pnas.org/content/102/35/12629.full


Secure Enclave isn't somehthing new to FaceID. It was developed for Touch ID. Some details here: https://www.apple.com/business/docs/iOS_Security_Guide.pdf


> I see (when...enabled) verbiage, which is a good sign.

Of course. See "Face ID requires a facial match — or optionally the passcode — at every wake." and "If you're concerned about [matching with a twin], we recommend using a passcode to authenticate."


This document has more information on the Secure Enclave.

https://www.apple.com/business/docs/iOS_Security_Guide.pdf


Would be cool/weird if you could find out who they were and have a meetup.


I've met a few. Paths have moved on but it would have been cool to see if they could try unlocking my phone if this came out during my tenure in college.


Like Touch ID, you don't have to enable Face ID if you prefer not to use it.


> The probability of a false match is different for twins and siblings that look like you as well as among children under the age of 13, because their Face ID Security September 2017 2 distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate.

I was really hoping they'd provide the probability for identical twins, but maybe they don't have enough data to give a specific number on this (I assume most of their data comes from people without identical twins).


I believe the probability for identical twins is 1 in 1; they mentioned in the keynote that some people will have to stick with passcodes, including those with "evil twins". (Presumably if you trust your identical twin to not be evil, you don't care if they're able to unlock your phone.)


Identical twins aren't identical down to every last detail. What I'm curious about is if Face ID can pick up on any details that are different that humans wouldn't notice.

Also regarding the "evil twin" thing, evil twins came from another dimension so, aside from the goatee, they really were literally identical down to every last detail. It's unclear to me if that joke was meant as "your identical twin will be able to unlock your phone, so hopefully they aren't evil", or was just meant as "someone who looks like you might be able to unlock your phone". Probably a bit of both. But this is why I want to know what the actual probability is that an identical twin can unlock the phone. Maybe it really is 1 : 1, but maybe it's not.


Assuming the hardware isn't being pushed to the accuracy limit for the sake of processing time, perhaps there could be an "enhanced security" mode that requires a more thorough check? I suspect their 1:1,000,000 false-positive number is an extrapolation of the maximum allowable difference in measurement. They probably could have set that "fudge factor" to a value that corresponds to something like 1:1,000,000,000 and increased false negatives to 50%.

Maybe it needs to see more "liveliness" and a few degrees head rotation?

Overall I think with the alertness test, the 48-hour passcode lockout, the "press the lock button 5 times" panic mode, and a limit on all attempts is enough to discourage most three letter agencies. It seems to have been enough with TouchID.


I understood “evil twin” as “twin who happens to be evil”. The example they showed was Spock’s evil twin which would match your interpretation, though.


> The probability of a false match is different for twins and siblings that look like you

Apple mentioned this on stage, which to me was quite significant since they don't waste a single word during their keynotes.

They still haven't given approximate collision chances and to me this must mean they think it's below the 1/50,000 touch id had.

My understanding is fingerprint collisions are highly random. That is very different from Face ID collisions since they are highly predictable.


They said in the keynote the chance a random person could unlock your phone with FaceID is 1 in a million.


Twins and siblings that look like you are not random people.


Now I'm imagining the FBI using its facial-recognition databases and tracking down people who look like the phone owner to wave an iPhone in front of their face.


I'd watch that TV show.

"Dylan and Luke are bounty-hunters of a new breed. They have to find the long-lost twins of suspects on FBI's Most Wanted list. On this episode of Face Hunters..."


But you’d have to do it without it seeing people you don’t intend to test with. You only get 5 tries. You can’t wait too long or it will hit the timeout.

Sounds like a movie plot to me (I made a guess at one if you dig through my comment history).


Can someone help me understand why @gre got down-votes here? I don't get it.

As far as I remember, in the big reveal, they did make a point of saying that faceid had a much lower chance of of colliding than the fingerprintid system.


I'm not the down-voters, but my guess is due to citing the 1-in-a-million figure, which is Apple's claim about a random false positive, in response to a question about false positives with twins. Someone reading fast or simply not thinking critically could come away with the wrong impression.


He got downvoted because he said something that didn't match up with what OP said. In the presentation, Apple said

> The probability of a false match is different for twins and siblings that look like you

So that means the 1 in a 1,000,000 chance doesn't make sense here because Apple said the probability is different in regards to twins and siblings that look like you. So @gre just spouted off the statistic when OP was asking what the probability might be in regards to twins and siblings, because Apple says that it is different.


They did, but the quote above was about confusion between twins or siblings. Those are explicitly not random people.


For random faces, yes, but for a twin or sibling it’s more likely; what’s interesting is that they haven’t said how much more likely. If it were less than 1/50k then you might have expected them to confirm that it was still more secure than Touch ID, though that’s not certain.


"Once it confirms the presence of an attentive face, the TrueDepth camera projects and reads over 30,000 infrared dots to form a depth map of the face, along with a 2D infrared image. [..] To counter both digital and physical spoofs, the TrueDepth camera randomizes the sequence of 2D images and depth map captures, and projects a device-specific random pattern. [..] the A11 Bionic chip [..] transforms this data into a mathematical representation and compares that representation to the enrolled facial data."

So it matches on a math model created using face data and 'a device-specific random pattern'. So unless someone cracks the algorithms used here, you need the device data to spoof the model, assuming the pattern is used in a way that you can't simply ignore it and generate matching models using just a spoofed face.

"We worked with participants from around the world to include a representative group of people accounting for gender, age, ethnicity, and other factors."

If the model is really hugely inclusive, it could be too general. But also it would be very difficult to get the same number of scans from some minority populations, and that could affect the functionality of the result.

"An additional neural network that’s trained to spot and resist spoofing defends against attempts to unlock your phone with photos or masks."

Gruesome thought: what if somebody obtained your face?

Additional thought: could we train the neural network to detect faces under duress and immediately lock the device?


I was really unhappy about FaceID last week, but if the attention sensing tech works reliably, I think it's probably better --- including under duress --- than TouchID.


i wonder if the feds can compel you to open your eyes


It would seem to be extremely difficult for them to compel you to aim them at a fixed point in space.


The police can forcefully draw your blood with a warrant.

Maybe they can also forcefully sedate you or fix your head/eyes with some medical device.


I wonder if it works on a dead person in a morgue.


I'm genuinely interested in knowing how apple can tell that FaceID is better than TouchID

- TouchID is already very fast

- I can give access to someone else with TouchID without giving my password

- It's unlikely that someone will be able to unlock my phone without me knowing it when using TouchID

- In case of coercion, I still have the possibility to give the wrong fingerprint 9 times before the good one

- I have to voluntary give my agreement with TouchID for an action (think apple pay)

All of that makes me think that they are trying to sell a feature that is only due to their engineering team unable to put TouchID on the Iphone X. By every real world metrics, TouchID is better in my opinion...


> they are trying to sell a feature that is only due to their engineering team unable to put TouchID on the Iphone X

I highly doubt it’s easier to add FaceID than TouchID to any phone.


I remember reading some articles about the difficulty to have a fingerprint sensor under a screen, it might well have been easier to have FaceID (easier does not mean easy)


Gruber:

> Apple made this decision well over a year ago. Perhaps the fundamental goal of iPhone X was to get as close as they could to an edge-to-edge display. No chin whatsoever. There were, of course, early attempts to embed a Touch ID sensor under the display as a Plan B. But Apple became convinced that Face ID was the way to go over a year ago. I heard this yesterday from multiple people at Apple, including engineers who’ve been working on the iPhone X project for a very long time. They stopped pursuing Touch ID under the display not because they couldn’t do it, but because they decided they didn’t need it. I do believe it’s true that they never got Touch ID working, but that’s because they abandoned it in favor of Face ID early.

> I don’t know why recent supply chain rumors suggest Apple was scrambling to get Touch ID working on iPhone X as late as this summer, and no one at Apple seems to know either. Disinformation campaign from competitors?


They could have put the fingerprint sensor on the back, as several Android phones do.


And they could also install a hardware keyboard. Neither of which is going to happen. Just because you can do something doesn't mean you should.


Fingerprint reader on the back is unobtrusive and quite an intuitive way to unlock a phone. I can hardly find any issue or "major compromise" with it.

A physical keyboard on the other hand makes a phone at least twice as thick, twice as heavy, and twice as ugly (although the last one is more subjective).


If I had a dollar for every time I watched someone turn their Android phone around to look for the fingerprint sensor on the back, I would have a lot more free time to post on HN.


> It's unlikely that someone will be able to unlock my phone without me knowing it when using TouchID

Do you really think it's likely that someone will steal your phone and then trick you into looking at your own phone without you realizing it? At that point you might as well be tricked into putting your finger on a TouchID sensor.


Well it's definitely possible to have me looking my phone held by someone else. And it's then too late...


Yea, it’s possible a thief would be so brazen as to return to the scene of the crime and show you your stolen phone just to unlock it (instead of just assaulting you till you unlocked it). Who are you worried about, the Mission Impssibke team?


I wonder...would it be possible to 3D print someone's likeness so as to spoof the FaceID?


You would also have to make the 3D print mimic the same infrared emission patterns as the original person’s.


It's a competitive move; it gives Apple and their users a bragging point, causing competition an expensive countermove. Competition has to move to depth sensor cameras and more on their phones, while Apple is reducing the expense and improving the quality of theirs. The Face ID tech is immature today, but a quarter or three? The quarter after that once support issues have had a few cycles, and the Face ID team has iterated, refactored and refreshed... This is a basic tech deployment they'll only improve.

The real question to me, a person in the FR industry, will Apple iterate their camera hardware and extend the perception depth range to be competitive in the larger FR surveillance industry? The general FR industry has to recognize multiple people at a distance, and then IoT-like control other hardware, a game Apple is not touching with Face ID - yet.


Pardon my ignorance. FR industry? Foreign Relations? First Responder? Flame Resistant? Google was no help. Edit: Oh, do you mean facial recognition?


FR = Farseical Reality :-)


FR = Facial Recognition.


I think FaceID won't be as good, either, but Apple has surprised me before (with TouchID, no less). The iPhone X definitely seems to be the experimental phone, which I'm glad to see.

I hope they continue the product lines they currently have for the phone: the experimental expensive one, the "normal" and Plus iterative ones, and the not-as-fancy-but-fits-in-my-small-hands one.


- More secure (Face ID uses more data points)

- Less user-interaction to authenticate (though as you point out this is also a negative)

- Allows for other UX improvements, e.g., maintaining screen lighting while phone is being observed but not manipulated

- My speculation: capacity to add additional faces will be added with SW (or next HW) update

__

I don't understand your point #3. How do you think someone would unlock your phone with Face ID?


For their Point #3 I'm guessing they are saying if they are sleeping or a mugger points their phone at their face. Fortunately, Face ID has focus detection, so if you aren't looking at it then it won't unlock. Which makes point #3 moot as well.


Apple has mitigated this, your eyes need to be open and looking at the screen to be unlocked.

It requires your face + your attention.


One common scenario where I often have problems with TouchID and FaceID should solve them: wet hands.


I just train my wet and dry prints separately, as separate fingers. If you promise no to tell any would be thief/gov about the backdoor into my phone, I’ve done the same for my capacitive glove finger.


That, and gloves!


It doesn't matter what Apple knows is true, they will say FaceID is better because why would they ever say that this new feature replacing the old one is worse?

They can also present the facts in a misleading way that makes FaceID seem better. At the end of the day, you can never truly trust the company to present a fair review of their own device, and that's why reviewers exist.


Could someone help me understand? I‘ve read multiple times in this discussion:

> Many (most?) people have more private information on their phones than they do in their house

But I can‘t think of any in my situation. Regarding data, almost all is available on my PC and tablet as well, both staying at home most of the time and with security features that can be bypassed with enough time/effort. Moreover, photos, handwritten notes, purchase receipts, bills, love letters and so on are all at my home or accessible through my home, but not necessarily stored on my phone. Digital traces about my communications and travel are available through numerous service providers (mail, cell, isp) ... no need to break into my phone, either.

So, what is the private data only available on everyone’s phones but not in their homes? Unsynced, not backuped private notes and photos never shared with anyone else? Am I missing something (honest question)?


I'm pretty late to this and I'm sure this will get buried...

> Face ID data doesn’t leave your device, and is never backed up to iCloud or anywhere else. Only in the case that you wish to provide Face ID diagnostic data to AppleCare for support will this information be transferred from your device. Enabling Face ID Diagnostics requires a digitally signed authorization from Apple that’s similar to the one used in the software update personalization process. After authorization, you'll be able to activate Face ID Diagnostics and begin the setup process from within the Settings app of your iPhone X.

What is preventing the government from compelling Apple to give up this key, and intercept your diagnostic data?


Diagnostic data still wouldn't provide anything of value as both sides need to give up the key for it to be useful.


You have to authenticate this and it wipes your faceid data. It doesn’t allow upload of the current data.


> To counter both digital and physical spoofs, the TrueDepth camera randomizes the sequence of 2D images and depth map captures, and projects a device-specific random pattern.

I await some interesting articles featuring IR imaging after the X ships.


How does that counter physical spoofs? If I have the 3D printing technology to pull off a Mission:Impossible quality mask of my target, what good does a random IR projection do?


There was a bit in the keynote where they mentioned those and said they’d done work to prevent them from logging in successfully. They did not elaborate though. Maybe the IR reflectivity of human skin and usual mask material is sufficiently different?


"Face ID confirms attention by detecting the direction of your gaze"

So to the argument that police can force you to open your iPhone if secured with TouchID, is this perhaps more secure? If you refrain from looking at your phone?


Here's what police do today, and it will defeat this and all types of security:

Follow you until you make a phone call, or do something that requires you to unlock your phone. Then multiple people descend on you and grab you and your phone.


That's if they're interested in looking at your phone for a particular reason, rather than randomly being nosy in a traffic stop.


No, any kind of biometric auth is vulnerable to the adversary forcing your physical compliance.

However you can disable TouchID and FaceID both by pressing the power button five times in quick succession, after which it will require your passcode.


For the iPhone X it's hold both the power button and either volume button for 2 seconds.


I've had a remarkably difficult time getting this kind of thing to register when I try to take screenshots -- probably an issue with my case? -- so it is probably worthwhile to practice doing this ahead of time.


Actually, I think that’s the hard reset sequence - replacing the Home Power combo


From the PDF:

> After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.


5-clicks-in-quick-succession primarily activates the "Emergency SOS mode", as well as temporarily disabling TouchID. I think you should edit your post to reflect this.


It’s disabled until you enter your passcode again, correct, which is what you want. I am not sure what you thought I was saying? If you want to disable it permanently, you can do that in Settings, but doing that requires you to unlock the phone, at which point the adversary may take it and have free reign.


What I'm saying is, if someone wants to simply disable TouchID, without also automatically calling the police by whom they are presently being held then the 5 click method is overkill.


> However you can disable TouchID and FaceID both by pressing the power button five times in quick succession

This seems effective "on paper, but not in practice." Even if you're innocent, it is one of the most nerve-racking experiences to go through.

In the heat of the moment, what if you used an old 5s method to deactivate TouchID instead of whatever method works for the X?


It works fine for me, but if you have a more practical suggestion, can you expand on that? What do you think would work better?


This is woefully insufficient for a feature I have been begging for forever...

I would prefer it to be a double-tap on the power button, or at the very absolute worse, a triple tap. Two buttons simultaneously five times? Impossible to do under any sort of external pressure/duress.


Two buttons press and hold on iPhone X.

Power button 5x on any other phone.


Not sure where you got two buttons from. It's only the power button.


On this year's hardware, they have added a new option to temporarily disable biometrics.

You press either one of the volume buttons on one side of the phone while also pressing the sleep/wake button on the opposite side.

http://www.techrepublic.com/article/how-to-disable-face-id-o...


Didn't realise the X model did it differently than all others. Weird.


It's also available on the iPhone 8 models.

If history is a guide, this will be a new normal that will carry through to future hardware as well.


> If you refrain from looking at your phone?

Unfortunately, (myself included), we are so conditioned to look at your phone when it is out in our face that you would have to actively train against this "reflex".


I doubt police will let a little thing like constitutional arguments keep them from forcing you to unlock your phone.

The best decryption algorithm is still rubber hose decryption.


FaceID and TouchID are not passwords, so you have to comply and unlock your phone.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: