Hacker News new | comments | show | ask | jobs | submit login
Face ID beaten by mask (bkav.com)
281 points by scribu on Nov 13, 2017 | hide | past | web | favorite | 237 comments



I wish they’d tone it down a little. This is really interesting, but stuff like this makes it hard to take them seriously:

“Apple has done this not so well. I remember reading an article on Mashable, in which Apple told that iPhone X had been planned to be rolled out in 2018, but the company then decided to release it one year earlier. This shows that they haven't carried out scientific and serious estimation before deciding to replace Touch ID with Face ID.”

I’m amy case, this doesn’t worry me personally too much. I don’t expect biometrics to be more secure than a password, just reasonably secure and more convenient. Before Touch ID, my passcode was 0000 with a four-hour lock timeout. I only had it set because some apps reduced functionality if no passcode was set. Real world security for me increased a lot with biometrics.

As for fingerprints versus facial recognition, the article claims fingerprints are better, but I’m skeptical. For one thing, my phone is covered in my own fingerprints, so getting something to copy is a lot easier.


I have discovered to my surprise, since shattering my iPhone 6 screen last week, that Touch ID works perfectly well through multiple layers of Saran Wrap. So you could keep your thumb wrapped up if you’re concerned about leaving prints. ;-)

In the meantime, my iPhone X arrives on Thursday, and I’m looking forward to training Face ID. All I got from this article was “these are the lengths you have to go to to defeat it”, which seems pretty darn good for my purposes.


Funny idea. My takeaway from the article was similar. Touch ID was already Good Enough for me, and it sounds like Face ID is quite a bit better. Which is, oddly enough, exactly what I expected.

One thing I'd really be interested in learning about is how much time and how many attempts it took them before they could successfully unlock the phone. And more pertinently, what those values might look like once they get some more experience with it. In a real-world scenario, they only get 48 hours and 5 attempts, so any technique which takes more than that is still nonviable.

It will also be interesting to see if Apple is able to improve their defenses against this. I get the sense that they couldn't improve Touch ID much because a good fake fingerprint looks just like a real one to the sensor. This mask definitely does not look much like the person's actual face, so they may be able to tweak things to be more resistant to this attack.

Which is not to say that this attack is pointless or these guys are dumb or anything. I'm impressed with their work! It's just not a game over situation the way they make it sound in certain parts of their writeup.


> As for fingerprints versus facial recognition, the article claims fingerprints are better, but I’m skeptical. For one thing, my phone is covered in my own fingerprints, so getting something to copy is a lot easier.

Would it be possible to have a really secure phone that had fake fingerprints added to the material of the surface of the phone?

I'm only half-serious, but it might make lifting the real prints harder...

(maybe it is trivial to distinguish prints made on a surface from those in the structure of the surface)


I suspect that any solution along these lines would be easy to break, because real fingerprints aren't permanent. If all else fails, make a high-resolution scan of the entire phone, then clean it and make another one. The fingerprints that are no longer present in the second scan are the real ones.

You might have a better shot at coming up with some material that just doesn't get fingerprints on it in the first place. Maybe a cloth-covered phone?


>Would it be possible to have a really secure phone that had fake fingerprints added to the material of the surface of the phone?

Because we don't touch 20000 other objects every day from where someone can pick our fingertips from?


_>Because we don't touch 20000 other objects every day from where someone can pick our fingertips from?_

We're less likely to lose one of those objects at the same place and time we leave our phone somewhere. It's comparable to leaving your keys in your car. Sure, someone could find those keys where you lost them and then find your car - but is sure is easier for them when they're both in the same place.


> We're less likely to lose one of those objects at the same place and time we leave our phone somewhere.

I think it's very likely that you touch something at the place where you left you phone, assuming that it wasn't dropped while you were moving.


But you usually don’t draw a circle around the relevant print and leave a note saying “use this one to unlock my phone” (unlike the Touch ID sensor).


or good old tactics wonderfully illustrated in the xkcd: Security[0] cartoon.

[0]: https://xkcd.com/538/


> maybe it is trivial to distinguish prints made on a surface from those in the structure of the surface

I believe it is. Fingerprints left on a surface are made with oils from the skin and are "lifted" off by applying a substance that sticks to it and literally lifting the print off the surface.


> For one thing, my phone is covered in my own fingerprints, so getting something to copy is a lot easier.

Use your pinky or ring finger for fingerprint recognition.


Biometrics are weaker than anything that relies on knowledge, for the simple fact that a physical attack IRL cannot be resisted. One could die without revealing a pin or password, but a biometric device would reveal his secrets very quickly through simple coercion and even after death has occurred.


>One could die without revealing a pin or password, but a biometric device would reveal his secrets very quickly through simple coercion and even after death has occurred.

Well, that's hardly a criterion for most people. I'd rather give the password than die.


If you have cameras watching someone from many angles you could just watch them type in their PIN. It would be much easier than making this mask thing.


When you start to think about attacks from adversaries with lots of resources (like governments), are passwords safe from fMRI-assisted interrogations?


Uh... Yes? fMRI isn't telepathy.


Apple specifically recommends to law enforcement using a deceased suspect’s fingerprint while the device will still accept it to bypass encryption.


Legally in the US you can't be forced to testify a password under the fourth amendment, but you can be forced to use your fingerprint to unlock a device. That's why repeatedly pressing the power button on an iPhone prevents any biometric unlocking.


I'm not sure that's firmly established. Last time I looked into it, there were rulings in just about every direction, but the trend seemed to be what you suggest.


I'm curious if using that feature could lead to other charges.


>but stuff like this makes it hard to take them seriously

What about that part makes it hard to "take them seriously"?

Their claims to be "the leading security firm" etc might be, but this is a perfectly rational and plausible claim (and the part that the technology was rushed is true as told by Apple).

>Before Touch ID, my passcode was 0000 with a four-hour lock timeout.

Then probably you're not the target market for a secure device.


It's hard to take seriously because they take a story about Apple getting the phone out a year early as somehow demonstrating that Apple hadn't properly studied how the security of Face ID compares with Touch ID. It's a total non sequitur.

There's no such thing as "a secure device." There are devices which offer various levels and types of security. If you're a CIA officer carrying classified secrets on your device, you probably don't want to use Face ID. For the average user, it's a nice increase in security.


It's hard to take Apple seriously about Face ID when it's now obvious that security wasn't the goal at all.

Face ID is a gimmick to keep attention on the iPhone.


In what way is that "obvious"?


Every single review that I've read has mentioned that it does not work 100% of the time that the reviewer expected it to. That's the first thing that makes it obvious to me because they chose to champion something that does not work over something that does. Biometric security implementations are all gimmicky.

The second thing is their claims and their focus on marketing around security. This was easily beaten in its first week in the real world! So it's not really that secure is it?

The third thing is that Apple has a long history of choosing gimmicks over actual functionality. The OS X dock is just one example of this.


Not working 100% of the time when it ought to is evidence that they do care about security. There's always a tradeoff between false positives and false negatives in these systems. Favoring false positives is better for usability, and favoring false negatives is better for security. The most usable biometric system in the world would be one that's hardcoded to return "success" no matter what.

The second thing means they maybe didn't succeed to the extent they wanted to, but certainly doesn't tell us that security wasn't even a goal.

The third thing is irrelevant to the question at hand.


Every single review that I've read has mentioned that it does not work 100% of the time that the reviewer expected it to.

Neither does TouchID, and you’ll pry that from my cold, dead, fingers, one of which will probably be hovering over the TouchID sensor.


>It's hard to take seriously because they take a story about Apple getting the phone out a year early as somehow demonstrating that Apple hadn't properly studied how the security of Face ID compares with Touch ID. It's a total non sequitur.

Non sequitur? Sounds like a totally rational argument to me, to the point of being a tautology.

Rushed a feature to market by one year == they also rushed the testing.


There are a lot of holes in your equation there.

Apple never said they rushed the phone. They said they were able to get it out early. These are not the same thing; "rushed" implies that quality suffered, while merely getting it out early could just be due to work going faster than anticipated.

Even if the phone as a whole was "rushed," that doesn't mean Face ID was. Maybe it was naturally ready by now.

Even if Face ID was rushed, that doesn't mean that the security aspects were rushed.

Even if Face ID's security aspects were rushed, that doesn't mean testing was rushed.

It's like if you show up early to a meeting and so I accuse you of speeding. Is that sensible?


>It's like if you show up early to a meeting and so I accuse you of speeding. Is that sensible?

No, but it is sensible to consider that if they've estimated 2018 themselves as the initial release date and then put it out in 2017, they didn't "made it naturally" but rather rushed it.

I don't say that's 100% proven or anything.

But it's very sensible to consider -- in other words plausible.

It might be "rushing to conclusions" but it's totally not a "non sequitur", since evidence in support is there, even if you find it lacking.


> I don't say that's 100% proven or anything.

You previously said it was "to the point of being a tautology."


How do you know they rushed features to market instead of dropping other features which we don't even know about because they were dropped? Isn't this exactly how people want agile products delivered?


No, "the part that the technology was rushed" is NOT "true as told by Apple." This silly rumor in fact completely false, and silly, and easy to debunk, and was debunked, and after it was debunked, Apple then made a statement in which they denied this silly rumor.


Troy Hunt already posted about this [1].

I think this quote is fitting:

"More than anything though, we need to remember that Face ID introduces another security model with its own upsides and downsides on both security and usability. It's not "less secure than a PIN", it's differently secure and the trick now is in individuals choosing the auth model that's right for them."

[1] https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-pra...


From Troy Hunt's article:

> given the processing power to actually observe and interpret eye movements in the split second within which you expect this to work, this would be a really neat failsafe. Apple highlights this as "attention awareness"

Yes, it would be a great failsafe.

However, if the PoC demonstrated by Bkav is legit, it would seem that Face ID doesn't look for eye movement; it just checks if the eyes are oriented toward the device.

That said, I agree that regular people probably don't need to worry about any of this.


You can also turn attention awareness off. They didn’t specifically mention whether they turned it off or left it on.


According to tweets from Wired, the attention features were disabled when they initially observed the test. There were also questions that they asked that the Bkav team refused to answer.


Or maybe it does check, but the mask puts it in some kind of error recovery mode.


As a consumer this doesn't worry me as to be able to crack my phone it looks like they would already have to have access to my face to make the mask (and an expert sculpture to make a nose).

If they could demonstrate it working from a 3D printed mask taken from a surreptitious scan at distance in the outdoors then I think we'd have reason to be worried.

For spies, spooks, government agents etc. I suspect that Face ID would always be a no-no as it is much harder to control the ability of others to eavesdrop.


Another thing is that an attacker only gets a few chances to use the face unlock before the phone requires a pin. How many tries did it take them while having to re-enable FaceId after locking the phone? IMO, it's only 'broken' if they can get the face right the first time without causing the phone to lock itself.


Hmm. I read somewhere that if FaceID doesn’t work and you use the PIN, it adds the face to the dataset. Is it possible they just slowly worked the mask into the dataset?


That's not what I'm saying. They made a face that managed to trick the FaceId, but how many times did they have to test it? In a real world situation, the face would have to work in 3 tries or the phone locks itself with a passcode. Given the elaborate process they went through to make the face, it would be very hard to make a face that basically works the first time (I've noticed FaceId will try multiple times and lock pretty quickly).


Doesn't sound like they took that approach:

> However, we knew about this "learning", thus, to give a more persuasive result, we applied the strict rule of "absolutely no passcode" when crafting the mask.


I was confused by this at first. I thought one of the concerns was the the algorithm would be more discerning about the real face over time. It doesn't seem as though they've addressed this issue.


Then again, if they wanted to make a name for their selves with BS, they would say that even if they have done the opposite.


How did they accomplish this though? Is there a timeout where, after enough FaceID failures cause a fallback to passcode, FaceID is accepted again without entering a passcode in the interim?


No, Face ID takes another snapshot after the passcode has been entered.

Source: "Face ID takes another capture and augments its enrolled Face ID data" https://images.apple.com/business/docs/FaceID_Security_Guide...


This only happens if the face is deemed similar enough to the original face data, which is unlikely if it's a completely different person.

Here's the entire quote:

"…if Face ID fails to recognize you, but the match quality is higher than a certain threshold and you immediately follow the failure by entering your passcode, Face ID takes another capture and augments its enrolled Face ID data with the newly calculated mathematical representation"


>As a consumer this doesn't worry me as to be able to crack my phone it looks like they would already have to have access to my face to make the mask

So like what they can gather from 100s of one's photos in social media and other places?


This assumes a lot.

As the OP said: demonstrate that from that data you can produce a sufficiently accurate model that works with this method.

The article hasn’t.

It may be possible (you only have to match the resolution of the IR depth map) but it is not currently demonstrated.

Plus I imagine it’s quite easy to refine FaceID in the software as well so an attack like this may not be very long lasting.


Attacks only get better with time. Check back in a couple years and someone may have done just that.


Defenses only get better with time too. That isn’t a good argument. Based on that logic we should have no security ever on anything because it’s always pointless long term.


they also have to gain physical access to your device, so if you're that worried about it, don't use FaceID or do the 'squeeze lock' to disable FaceID and require your passcode for the next unlock before you go to bed or something


>If they could demonstrate it working from a 3D printed mask taken from a surreptitious scan at distance in the outdoors then I think we'd have reason to be worried.

I would be astonished if state actors are not already well on their way to figuring out how to do this.


That's true but it's outside the threat model for most devices: that same state-level actor can no doubt use cameras to collect passwords and some combination of imaging and subterfuge to get fingerprints, too.


>For spies, spooks, government agents etc. I suspect that Face ID would always be a no-no as it is much harder to control the ability of others to eavesdrop.


It seems much more secure than fingerprints, since that was defeated much more quickly (within a couple days?), with easily lifted prints and a more cost effective (though still somewhat lengthy) method.

This, in comparison, seems much harder and consequently further reduces the realistic attack scenarios where people have to be worried. For most people this is a non-issue. (It mostly already was a non-issue with fingerprints, for the same reasons.)


TouchID was spoofed in 2 days and FaceID in 7 days. Still, I feel like the difference in time is not that relevant.

I think the biggest difference in time was given by the "attacker" trying to understand what the FaceID system is looking for exactly, as an algorithm. But once they know that, future attacks should be much faster. Like if they try to bypass someone else's phone, it shouldn't take another 7 days. It could even be hours.

With TouchID they already knew what to do - clone someone's fingerprint. There's no machine learning algorithm that needs to be reverse-engineered there.


>I think the biggest difference in time was given by the "attacker" trying to understand what the FaceID system is looking for exactly, as an algorithm. But once they know that, future attacks should be much faster

Not necessarily, as the algorithm is a NN (IIRC), so it looks for different things on different people too.


Even easier perhaps, with all the news about adversarial networks lately!


Remember: Attacks always grow better, not worse. The bluetooth distance records grew quite quickly.


Apple could add eye movement to it's algorithm tomorrow and this attack would fail forever.


Oh sure. Unreleased vapourware beats all attacks.


Isn't this attack "unreleased vaporware"?

For example, you have to use FaceID every 4 hours or it requires a passcode. Do you think they were able to hand make an acceptable mask within 4 hours?


It's not vapourware: It may be a lie, but it's not a promise of greatness in some future version. They're saying "we have carried out an attack", not "we will attack oh-so-well".

Regarding the four-hour limit, the attacker have to either cheat and start making the mask in advance, or practise making masks quickly. Neither seems impossible. But of course, Apple could (and IMO would) improve the defense. I'm sure Apple would think of ways to counter any publicly known attack.


Do they have to start making the mask after obtaining the phone?


It's definitely a better situation than an attacker being able to steal your fingerprint off a glas or other everyday object. Copying a fingerprint requires very little skill.


> or other everyday object

You mean like a phone or something?


... I feel stupid now.


The fingerprint is likely going to be right there on the big shiny button that reads the fingerprint :-D


I thought you needed a 3D fingerprint to fool an iPhone—a holding from an impression in clay rather than a spear on a window.


Yes, but fingerprints are trivially 3D, one part is just slightly recessed.They can be easily reconstructed from a 2D photo.


No, you can put a thin printed 2d fingerprint onto your finger to fool it.


This isn't true, touchID requires a living person/something that simulates a living person to unlock.


Interesting. Can you point to any official white-paper from Apple claiming this? I'm reading this: https://www.apple.com/business/docs/iOS_Security_Guide.pdf but I cannot find any such information about a living person.


Don't have any paper from Apple about this, but first finger-print scanners started to check temperature to avoid reading old fingerprints left on the reader when someone did breath on it to trigger a new reading. So to attack the temperature check you had to place a plastic-bag with body temperature water on the reader, making it read the old fingerprint if enough of it was left on the reader. Then they started to check for pulse, so the easiest attack is to put a false fingerprint on a finger.

Fingerprints are easy to copy and you cannot change them, so fingerprints might be more secure than use the pin 1234. But it isn't more secure than a strong password, but so much more convenient to use...



While I'm pretty sure that Touch ID does have liveness sensing, that answer is nonsense. Nothing about capacitative touch requires liveness. You can manipulate a touchscreen with a hot dog.


Isn’t that why they said to put it on you finger?


Two words: incremental improvement.

3d printing is getting better and cheaper all the time.

Cameras and software are getting better all the time.

If someone cares enough to invest the R&D it should be pretty easy to automate everything between getting photos someone and printing the mask.

The point is that using biometric authentication as an all-in-one isn't secure.


Photos are not enough, they would need a high resolution 3D scan on the person’s face as well. Also they didn’t just use 3D printing, they had to use different fabrication methods and materials for different parts of the face part of which was ‘simply’ hand sculpted. This is not at all trivial to automate.

But then we already know it’s not as secure as two factor authentication and a random passcode. Touch ID could be fooled with predict fingerprints as well, though with the deep subcutaneous scanning in later versions it was much harder than with the first version. Anyway, Nobody who critically depends on the security of their phone should use Face ID or Touch ID anyway.


Why do you know that photos are not enough? If you have good enough photos you can produce higher resolution 3D models than with a Kinect like depth sensor (which in the end is just a stereo "camera" anyway). And since the Face ID probably does not work with any arbitrary 3D object but only with faces you just need to reconstruct the target face to a degree so that the Face ID system can detect the landmarks it is looking for.

My guess on how those attacks will develop in the future are:

1. Exploit occlusions. As far as I know the FaceID System does work with occluded faces (glasses, maybe scarfs in the winter, ...). Once you know what the minimum required visible area is, you can focus on partial faces. If the algorithm has less features to identify, it probably makes more mistakes and is easier to fool.

2. Create a low-dimensional (in terms of parameters, not vertices) representation of a face that can be tuned to mimic a wide variety of target faces and still is correctly identified by Face ID. Once you have that you can take a few photos of your target person and tune the parameters in your generic model to fit the person in the photos, and probably be even able to reconstruct a mask from far away.

3. Try to create a real mask with a flexible surface that can be tuned to fit a wide range of faces. If at all possible try to span the same feature space as in 2.) as it would allow you to create a real face mask from only the few parameters that directly come from your fitting process.

If all of the above works an attacker can create an Iphone stealing pipeline:

Have several cameras set up in a crowded tourist spot. Match persons in different views and try to reconstruct their faces. Once the system has found a person that has been viewed from enough angles, "retrieve" his phone unlock it with the mask and reset it.

I know that does sound pessimistic, but your face is a "security token" but one which you can not realistically protect from theft. Unless you want it to have serious negative impact on your daily routine.

And if someone wants to hide his face while in public (i.e. with a surgical mask), he can no longer travel to certain countries. I live in Austria and there just recently came a law into effect that bars everyone from occluding their face while in public.


One photo is not enough, but several let's you create a high quality 3D model.


> Two words: incremental improvement.

Well, the same applies to the iPhoneX and its software, I suppose.


> If they could demonstrate it working from a 3D printed mask taken from a surreptitious scan at distance

A scanner could be placed e.g. behind or on top of a mirror in a restroom.


Presumably all you would need is another iPhone X to do the scanning.


The data from one iPhone isn’t supposed to be useful to another since the infrared emitters are in a random pattern.


It doesn't need to be usable to another iPhone for what we're discussing in this subthread.

Just to be usable to map the face in 3D space and make a mask.


Yes, but Apple probably has locked down the scanner.


For a consumer, it's fine -- way better than the bullshit passwords that people use.

Once you start getting into higher security areas, you still need multiple identity factors to authenticate people. I'd guess that a bigger potential risk factor for systems like FaceID is intent -- entry of a passcode or fingerprint being placed on a button is a more explicit expression of intent as opposed to glancing at a device.



To make a 3d mask you don't need a 3d scan. You just need a few photographs from different angles and off the shelf photogrammetry software.

These scans were made from photographs: http://2.bp.blogspot.com/-c_lP5_5u1Dk/VmM5aDNFHzI/AAAAAAAABz...


>> For spies, spooks, government agents etc. I suspect that Face ID would always be a no-no

You are correct. Face recognition, like any other biometric, is a bit of a farce. The face doesn't unlock the phone. The face is read by software which then generates some string of numbers, essentially a hash of the face/print, than then unlocks the phone. That hashing process can be hacked/intercepted/replicated just as with any other password. Biometrics is a convenience feature, not security device. But the real reason that biometrics aren't used in highly secure environments it the difficulty of repudiation. If/when a break-in does occur, how exactly does everyone reset their faces? It's like asking everyone to reset their passwords and everyone then using the same passwords. What you have to do is install a new hashing regime and rescan everyone's faces.

The best system, the one that is used most everywhere, is three-factor: (1) A card you carry/scan. (2) A password/code you enter into a pad. (3) An old man behind glass, usually a retired soldier, who has been in the job for years and knows everyone in the building. That old man can recognize people better than any biometric scanner.


Very important note: Be sure to provide the old man behind glass with food and water. I had an old man behind glass in my house for security and didn't think to give him food and water and he died within a week.


Exactly. This is definitely not a reason not to buy an iPhone X.


yeah this is mostly like, multinational CEOs, etc who would be targeted


And they shouldn’t rely on consumer-level security protection.


You say that like they don't all use commodity phones and laptops. The idea that people are buying super secure hardware for CEOs is firmly in the realm of screenplays.


I didn’t say they shouldn’t use an iPhone, I said they shouldn’t use consumer level security features. All leading smartphones have enterprise features that change the security profile — for example to use long alphanumeric passwords instead of a PIN or FaceID.


Also, it took them a whole week to achieve this. So this is definitely not something someone could realistically do to you unless you are a some sorts of high-profile target.


Or you know, have access to a $300 3D printer, a $200 real one, is idle (e.g. unemployed), and can expect to make $2000 or more from stealing your phone/identity details etc.


Once someone is at the stage where they're going to 3D scan you, create a replica of your face and steal your phone to get into it...why wouldn't they just coerce you into unlocking your phone with force? See https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis



Because they depend on you not knowing it.

Also because the former carries a much smaller jail sentence if caught.


Most of these answers basically say nothing. e.g.

"""Q: How did Bkav develop the mask (for example why you use silicone for the nose, why 3D printing for some areas while special processing for others, etc.)?

A: You are right. Many people in the world have tried different kinds of masks but all failed. It is because we understand how AI of Face ID works and how to bypass it. As stated above, we were the first in the world to show that face recognition was not an effective security measure for laptops."""

is a really nice way to dodge the question of why they used silicone for some parts of the mask.


They're an "Interesting" company...

I'm not sure the authenticity of this story. The authors of the hack claim to be: "the leading firm in network security, software, smartphone manufacturing (Bkav.com/Bphone) and smarthome"[sic] and one of their products is a "gold plated SmartHome for super luxury villas".

I wonder if it will work is ordinary luxury villas...


their bphone is just an overpriced android phone. they even goes as far as re-branded chrome to be bchrome. probably without google's permission as well as installing market and google default apps.


I feel like this demo is not really good. A video where a (real) face is learned in and then the mask is used to unlock would be good, this could just show that the mask is learned into FaceID.


And then the question would have been if it could be beaten after the system was given time to learn.


Or at least the lock on top of the screen could do the unlock animation when they use the mask. ;)


The 1st point is, everything went much more easily than you expect. You can try it out with your own iPhone X, the phone shall recognize you even when you cover a half of your face. It means the recognition mechanism is not as strict as you think, Apple seems to rely too much on Face ID's AI. We just need a half face to create the mask. It was even simpler than we ourselves had thought.

Interesting. I expected this to be some quite obscure technique.


> We used a popular 3D printer. Nose was made by a handmade artist. We use 2D printing for other parts (similar to how we tricked Face Recognition 9 years ago). The skin was also hand-made to trick Apple's AI.

That seems reasonably obscure (:


This is the first step, it's only going to get easier from now on.


Sure, but Face ID will also evolve.


There was also a rumor that Apple was having trouble with FaceID recognizing people (it even happened to Craig Federighi on stage!), and they made the security less strict so it recognizes people more easily. For all we know, FaceID doens't have that "1 in a million" False Acceptance Rate" anymore, but only 100,000 which would be a lot closer to a fingerprint.


What happened to Craig was that he tried to unlock a freshly rebooted phone. iOS requires the user’s passcode after booting, and won’t allow a biometric unlock until after that.


No, it was actually the people setting up the stage accidentally triggered Face ID often enough that it fell back to passcode. Could find a link to Apple's explanation if needed.


Thanks, you're right. It looks like it was initially reported as having been rebooted like I said, but Apple later on explained it as you say, and I must have missed the update. Here's a link:

https://9to5mac.com/2017/09/13/face-id-demo-fail-details/

Anyway, the key point here is that Face ID didn't fail to recognize Craig, it refused to recognize him because it had already been locked.


If somebody is going to try this hard to get through my Face ID, I’m enough of a high level target that I’m not relying on a shortcut unlock feature of a consumer cell phone. And I’ve likely got bigger problems.


If you are that high level then your family and close associates are all targets. Same goes their family and network...


> Because... we are the leading cyber security firm ;)

But you don't even use HTTPS. Why?


Because the information was meant to be public anyway?


Their "download" page is also HTTP which is a bit more concerning. Pretty sloppy for a company that provides security tools imho.


There are countless other benefits to having HTTPS (such as ensuring the end-to-end integrity of the communication so stuff can't be injected in the document). It's not meant only for private information.


Not using https means that your ISP, your mobile carrier, or your airport network provider can modify the information being presented to you. This is not a hypothetical, it happens all the time (though usually just to inject ads).

It's not about whether the provider wants the information to be public, it's about whether the provider wants the information to arrive intact.


This is the infamous "nothing to hide" argument in a different form.


I’d really like to see more details about how this was done, and less of the over-the-top rhetoric.

Claims such as “we are the leading cyber security firm” and “we understand apple’s AI and how to beat it” do not make you look more competent, just more boastful.


Yes, the whole tone (and lack of specificity) of the article does not add to its credibility.


Can sombebody explain this:

"A: It does not matter whether Apple Face ID "learns" new images of the face, since it will not affect the truth that Apple Face ID is not an effective security measure. However, we knew about this "learning", thus, to give a more persuasive result, we applied the strict rule of "absolutely no passcode" when crafting the mask."

Does it mean passcode was completely off and the phone would not lock itself after a few failed attempts? Because there's a difference between trying until it works and getting a mask within 24 hours that does not fail three times.


They don't answer directly and clearly to almost every question, or simply evade them like this first one. Weird, especially considering they've written both questions and answers.


It most definitely matters. I have read Face ID tries to learn more about your face if you unlock it with the passcode after having issues unlocking with your face. What are the chances it learned the mask?


That's a super interesting thought. Face ID is a bit of a black box. Though I'm not trying to defend it to death, I can imagine it's better than all of the face scanners before it but far from super secure.


> It does not matter whether Apple Face ID "learns" new images of the face, since it will not affect the truth that Apple Face ID is not an effective security measure.

They are saying the question is moot.

> However, we knew about this "learning"

but they are going to answer the question regardless

> thus, to give a more persuasive result, we applied the strict rule of "absolutely no passcode" when crafting the mask.

They ensured that the mask didn't get integrated into Apple's learning data by never entering the pin. The understanding is that whenever a failed face scan is followed by a correct pin, the face scan is added to learning data (since the assumption is it belongs to the legit user).


Isn’t it strange that a room-temperature face can unlock the phone when Apple has made it clear that the iPhone X uses the temperature of the face to detect masks etc.? From the perspective of the IR camera, the mask and that guy’s face should look completely different. This attack makes it look like it’s not using this information at all.


The IR camera is near-infrared, it measures more or less light that your eyes can't see, and no heat frequencies. The IR camera is used to recover 3D information: https://en.wikipedia.org/wiki/Structured-light_3D_scanner


well.. if you have already advanced to the point where you're making a mask, I imagine it wouldn't be too hard to heat it up a bit.



i enjoyed the presentation, he has a flair for the dramatic.


So, fingerprints are not "secure", face recognition is not "secure"... Are passwords/double authentication the only way to keep things private and secure these days? Are there any serious alternative?


A fingerprint is just a really complex password that you leave on everything you touch. Your face is just a really complex password that is written on the front of your head.

It should be self-evident that neither of these is "secure" for some level of "security", but they might be perfectly fine for the level of threat that you face, which is not likely to be particularly high. But I don't know you, so maybe you face a higher-than-average level of threat, in which case, yes, a sufficiently long password/passphrase that you memorise is probably the best option for your mobile device.


fingerprints and faces are just really complex usernames: they're not secret at all.


Your biometric measurements are essentially secrets. They work today because it's far too difficult for a thief to steal your device AND copy your biometrics at the same time. This makes them the most secure tokens we have in real world use, given the number of people with 0000 passcodes.

Eventually they may become easy to copy, then their utility as secrets will be gone.


Advanced fingerprint recognition devices recognize things that are not left on things that you touch. They look under the skin at blood vessel and measure body capacitance and other statistics. That's why there is the weird light on the "biometrics" device in the airport, to be able to see through the outer layers of skin.

https://en.wikipedia.org/wiki/Finger_vein_recognition


The solution is obvious: genital scanners! https://www.youtube.com/watch?v=0zu4XlM_89s


This is why you can't meaningfully talk about security without talking about a threat model. People don't talk about safes being broken because advanced tools will eventually open anything because the model assumes the police will show up and so the safe just needs to delay an attacker or require them to bring conspicuous or slow equipment.

If your goal is not having the punk who grabs your phone be able to get access to your banking info or personal data, any competent biometric system is a huge win if it means that the average person keeps their device locked rather than unlocked because it's too much trouble.

If you're worried about mass surveillance-style attacks, a fingerprint sensor or advanced face scanner is likely better than a password because it's significantly harder to harvest using a camera in a public place.

If you're being targeted, all of those trade-offs change, almost completely if state-level resources are involved.


> Are passwords/double authentication the only way to keep things private and secure these days

That's always been the case. The main promise of biometric security was not "better security", but better convenience. The best argument for it would be that it makes average security better, in the sense that more people use it than not use anything at all or re-using passwords, but it's not the best way to secure your devices.

Password manager + U2F token is the most secure way to lock your accounts.


I've read somewhere (probably in one of Troy Hunt's posts) that biometric data should not the be password, but rather the username. Maybe we're looking at this the wrong way. Biometric data seams to be equivalent (or at least similar) to a public key.


Public keys still (ought to) get rotated-out when they've been in-use long enough that they could have been factored in that time.


It's pointless even thinking about IMHO.

Someone could just hold a gun to your head or to your partner/child and then it's irrelevant what the security mechanism is. You are going to hand over the credential since your privacy is not more important than your life.


it’s not equivalent because there’s very different penalties in hacking someone vs torturing or coercing. So it requires different levels of motivation.


And you can scale hacking to millions of people via computer automation or hiring out of country workers. Scaling kidnapping and torture to millions will attract significantly more government attention.


Nothing is secure about a determined attacker (in the same way the door to your house doesn't resist being battered with a ram)

The issue is convenience together with good enough security


Fingerprint or face or retina is not a "password", it is a "login". And we should have a proper password in addition to the login, not as a substitute.


I wonder if Apple experimented with using eye movements as a passcode? I imagine they have the technology available to do such a thing. That would make it so your face is your username and a specific movement you made with your eyes the password.


There are conditions that may make an average person unable to perform the movement, like getting a severe cold or an eye infection that makes an eye water. They may still want to use their phones with minimum inconvenience, instead of resorting to entering a passcode. It may not be possible for some people to configure it well either, and may probably result in eye movements that others may consider weird (imagine rolling your eyes in front of your boss because you wanted to unlock your phone).


No, we should not have a "proper password" in addition to a login. People use their phones without passscodes or set them to 0000 all the time. Edit: The worse problem is if biometrics fail in that scenario, you can't access your device ever again.

In the real world, effective biometrics are the most secure login tokens we have.


So what is the problem then - they will just have face/fingerprint protection (as they have now) plus useless 0000 pin. And all this optional in settings. No inconvenience at all. Other will have proper bio + password protection that can't abused in most cases.


The problem is you are locked out forever if your biometrics fail. Requiring biometrics AND passcode means both have to succeed, Apple wisely chose to let you use biometrics OR passcode, so you can still get in when biometrics don't or can't work.


I do realize that some scenarios where bio fails exist. But I don't want simultaneous security all the time, I want an option to enable it and disable it when I want. E.g. I'm traveling through customs and I enable this mode - now the phone can't be opened by e.g. restraining me (or tricking me) and using only bio, they won't know the password to match. And if they will request to unlock my phone for inspection, well ok - but they can only look into it beside me, the minute it autolocks they won't be able to open it knowing only password that I provided because my bio is inseparable from me. Some other valid scenarios can also exist.

PS: I read that some community firmware images allow this mode, the only thing that stops me from using them is lack of camera drivers for unofficial firmware.


One problem with passwords is that one has to use an input device like a keyboard or touchscreen to enter them (not needed with a password manager but how to enter that? via a password). Cameras and eyes can record this. Wouldn't surprise me if software can already accurately record keystrokes via a camera feed.


Then what's the point of the added complexity? It's a single user device, so just have a password.


Appliances like telephones will never have secure passwords (e.g. 32 random symbols), they will have at most short and insecure pins/passwords, 6-10 numbers or letters. But adding on top of that fingerprint/face with 1/10000-1000000 security will make it acceptably secure and still convenient.


I was hoping they released more details about the process. One possible method is that they trained the iphone's Face ID on the mask by repeatedly failing to unlock it with the mask and then entering the passcode which trains the iphone's neural net on the new face (mask in this case). There was a video a few days ago where the iphone X was unlocked by a man's brother by doing this : https://9to5mac.com/2017/11/04/face-id-siblings-fail/ .

This was posted 2 days ago, any statement from apple on this story?


They address this in their second point:

> It does not matter whether Apple Face ID "learns" new images of the face, since it will not affect the truth that Apple Face ID is not an effective security measure. However, we knew about this "learning", thus, to give a more persuasive result, we applied the strict rule of "absolutely no passcode" when crafting the mask.


Yes, they addressed it, but why not demonstrate it if it was actually true? As in register on camera then point it at the mask.

My guess would be because it doesn't actually work.


I re-read the whole thing but cannot find what special processing is all about. Is it molding using clay or something?


The special processing is done to large areas of skin, so I would say that it is makeup powder to make the plastic have IR reflective properties of real skin.


Why not layer on more data? Like a facial gesture (smile, wink, tongue out, etc) and a fingerprint? Both using thermal readings as "proof". Given you're almost always using your face and hands, this isn't much of an inconvenience but it's powers more secure. All for pennies (in comparison to a $1k device).

It's infuriating that each time a mass-produced biometric scanner comes out, it's hogtied by the fact this cheap technology isn't quite good enough yet.


This type of 'layering' could be done with other devices in the eco-system, too. The Apple Watch for (a crude) example:

> Does this person have an Apple Watch? Is the device in range? Is it unlocked? Do the wearer's biometrics match?

Most individuals have (for better or worse) bought into the (relatively) closed system of Apple products – why not continue leveraging that to their advantage?


So Ive been thinking about biometrics and phone security a bit, and it seems to me there is a pretty easy way to tell how secure your phone needs to be on an X/Y chart where Y= Security needed and X = Data sensitivity/Personal-ness.

Id say the ideal plot would follow an exponential curve, and seems that if you didn't keep a lot of personal data on your phone and all your social, financial and mail accounts can be reset quickly via the web, you don't need much security provided you maintain custody of your device. That said, Im glad that any claims as to the security of biometrics are not just taken at apple's/samsung's/google's word.

I remember the iPhoneX event stated that there was a exponentially smaller chance that someone else's face could unlock your phone, and that masks "wont work". I could also be mis-remembering, but there is a way to tell the iPhoneX to not allow your face if you find yourself compromised in some way. So unless someone has access to make a 3d rendering of your face, the means to make a mask and the opportunity to take your phone before you can signal that you want to authenticate with a password it seems pretty secure...


I'm actually going to be very interested to hear how FaceID works for the average user. False positive is one issue and one Apple lauded as being lower than TouchID.

What about the false negative rate however? This is what will actually aggravate users.

As a user I like touch unlock. I can do it without looking at the phone, having the phone gave me, in the dark, wearing sunglasses and so on.

To me face recognition just seems like a huge step backwards. I'd love to be proven wrong.


Only negative results I’ve had were due to either proximity (it can’t see my face properly- too far away or too close) or obfuscation (lying on pillow which obscures too much of my face)

Overall it’s much smoother and non-intrusive than TouchID

I’ve never needed to unlock my phone in a situation where I’m not about to look at it so I’m not sure what use case you’re running into there.

As for in the dark: it automatically scans when you swipe up, so no issue. Don’t think of it as “using Face ID” think of it as “swipe up to unlock phone”. The Face ID is just an implementation detail.


I have a friend with an X who just bought a new pair of ray bands because her last pair wouldn’t work with FaceID. Pretty bizarre but understandable.


One thing that’s usually missed is that passcodes aren’t that secure if you unlock your phone with strangers around or if there are surveillance cameras filming you.


The one answer that is missing from this QA is how many tries they had before it worked.

Did they configure Face Id, made the mask and then it worked immediately? Did they tinker with the mask until it worked? From the way this is written I suppose the latter.

Nevertheless, I thought Apple was detecting small movements in eyes to ensure that the subject in front is actually a living human. I don't know where I got this from, but now I am disappointed.


*I thought Apple was detecting small movements in eyes to ensure that the subject in front is actually a living human

Face ID does track eye movement ("require attention"), but you can turn off that setting. I haven't found any information as to whether the firm disabled the eye tracking for this crack.


> A: We used a popular 3D printer. Nose was made by a handmade artist. We use 2D printing for other parts (similar to how we tricked Face Recognition 9 years ago). The skin was also hand-made to trick Apple's AI.

> Q: What's the approximate cost of the mask?

> A: ~ 150 USD

Taken together, the second answer cannot be true. Only if the cost stated is related to material cost only, which is is only one input factor to assess the total cost of this approach


What other cost are you referring to? The 3D printer? You can send your design to a studio and they'll print it for you and send it, or you can rent time in some places to get access to a printer, without needing to buy one.

In any case, if it needed only a paper print, you wouldn't count the cost of the printer, since you can print it anywhere.


Human labor is expensive. Not accounting for that is a bit disingenuous.


Artists aren't particularly well paid.


… for pure art, maybe. For commercial artists, especially ones capable of precise results on a deadline and, in this case, also not asking too many questions?


not true either, read up on past stories of skilled forgers of paper currency: their labor was surprisingly inexpensive.


Do you have any citations?


Human labor cost for example, but apart from that: how many masks were used to trick Face ID? I would assume it was not prototype number 1 that did the trick


$150 for a printable parts of the mask.

Then "hand made" skin, which they don't reference cost or time spent creating.

Then "hand made" nose, which they don't reference cost or time spent creating.

Also makeup, which they don't reference cost or time spent applying.

This is a security firm serving up info with HTTP, not HTTPS, ducking every serious question to the point it seems likely they are hiding something. Even if everything they claim is true, their attack vector is so difficult chances of success would seem to be effectively nil.


I assume this was done in Singapore where prices should be a bit cheaper, if you don't have a 3D printer you can always get a service for the 50 USD, and probably give the rest to an art student to make you the nose? :D

Not sure about the "hand-made" skin, but it might just be some white and glossy paint?


This seems to be a Vietnamese firm actually


Nitpicking the cost of the labor to build this mask misses the point of the article: face id is much less secure than Apple claims.


They've shown an "attack vector" that's virtually impossible to reproduce. Someone has to be able to get detailed 3D renders of your face before also stealing your phone. Then they have to get a team of artists to hand craft your nose, hand craft human like skin, 3D print a mask, and a makeup artist to make it all look realistic.

In the end, they've shown is FaceID is just as secure as Apple claimed. Apple never claimed impervious to any attacks, they claimed it would work well an quickly, and be more resistant to attack than TouchID. Requiring a Mission Impossible level team to create a mask that duplicates your face is not a level of attack most customers are concerned with.

TouchID can be defeated simply by stealing the device, lifting the owners fingerprints from said device, and 3d printing duplicate prints to use. FaceID is far more secure than that.


Cost do matter for their claim, because given an indefinite budget every security measure can be broken.


On the surface though, these guys look to be a small company in Vietnam, so I doubt they have an infinite budget, much less a "large" budget for this demonstration.


What claims have they made? That it can’t be fooled by masks? No. That one in a million other faces can open your phone. That’s still fewer people than could open you phone with Touch ID.

At no time that I’m aware have Apple claimed resilience against masks or gelatin fingers.


Yes, Apple claimed that it can't be fooled by masks. The article even has the picture from the slide of the presentation. Did you read it?


I would really appreciate an option for 2FA: Require both a PIN and Touch ID / Face ID to unlock the phone. With long passphrase to disable this again.


Would it be possible to just capture the IR beams with a camera, and use a projector to send to the phone's sensor a new set of IR points as they would appear if they were projected on an actual 3D model? This would allow to use only a digital model of a face, without the need for printing it.


FaceID resists this by using a random dot pattern. If the pattern it gets back doesn't match what it sends you get a lockout.


You'd need a very precise IR projector. That's likely very far away from a DIY home made solution in terms of costs.


Biometrics are usernames not passwords. Biometrics should never be used on the sole authentication method they should only be used in conjunction with something else.


Biometrics are usernames not passwords

That such a meaningless slogan. Passwords and biometrics have different pros and cons, but they are the same in that they increase security.

Biometrics should never be used on the sole authentication method

* Biometrics is always better than no security.

* Biometrics done well is certainly better than a 4-digit PIN.

* Biometrics on an iDevice is in fact always used with something else, which is device itself: Touch/FaceID on an iPhone can only be used to access that particular iPhone. Ie. if you manage to steal my fingerprint, you can only use it to access the devices that I have set up to use my fingerprint. This means that my fingerprint alone is not of any value, unless you can also gain physical access to my phone. Compare this with a password which, if stolen, allows attackers on the other side of the globe to access to my accounts.


>That such a meaningless slogan. Passwords and biometrics have different pros and cons, but they are the same in that they increase security.

It is not a meaningless slogan, if Biometrics give the wider public a FALSE sense of security in that companies like Apple pitch them in unrealistic and inaccurate ways in their marketing that gives the average Joe the false idea that bio metrics are more secure than they really are, and secure more data that it really does.

>Biometrics is always better than no security.

That not only a pointless statement, but a False Dilemma Fallacy as well

>Biometrics done well is certainly better than a 4-digit PIN.

Done well is the key part, and again that is a False Dilemma Fallacy as you assume the choice is between a 4 digit pin and Biometrics, it is not

> if you manage to steal my fingerprint, you can only use it to access the devices that I have set up to use my fingerprint. This means that my fingerprint alone is not of any value, unless you can also gain physical access to my phone. Compare this with a password which, if stolen, allows attackers on the other side of the globe to access to my accounts.

it is funny you mention that because often time I see people set VERY insecure passwords because they believe that thei biometrics protects their password. So they set a insecure password "They will never use or need" because they relay biometrics and believe it provides all the security they need not just the security of the device, but since they only access their data from that device they are lulled in a false sense of security that the biometrics are protecting not only their device but ALL OF THEIR ACCOUNTS


Biometrics give the wider public a FALSE sense of security

Oh, please! There is an abundance of evidence to show that the wider public is completely uninterested in security to the degree that a majority will disable security features altogether if they are inconvenient to use in the slightest. People don’t use biometric authentication because they are misled to believe that it’s more secure than other methods of security. They use it because it’s the most convenient method.

That not only a pointless statement, but a False Dilemma Fallacy as well

In principle perhaps, but not in practice. Before biometric authentication became widespread, it was completely normal not to protect your phone at all. And when it was protected, it was almost always with a 4-digit PIN that you only had to enter after some amount of time had passed since you last unlocked the phone.

often time I see people set VERY insecure passwords because they believe that thei biometrics protects their password

That’s a nice anecdote which may be a completely accurate account of what someone told you. Or not. I find it hard to believe with no evidence that such a specific misunderstanding should be widespread. I do find it very believable that people use bad passwords, because people have always used bad passwords. As long as we’re exchanging anecdotes, I can tell you that I personally changed from a 4-digit PIN to a longer password when I got Touch ID, because it wasn’t as inconvenient when I only had to type it in once in a while as opposed to every time I unlock my phone.


It's also worth noting that iOS defaults to asking for a 6 digit PIN when you set up a new device. You can switch it to 4/0/alphanumeric, but the default is 6.


> Biometrics are usernames not passwords.

Biometrics are biometrics. They're distinct from username and passwords.

They can be used for low effort access control, the same way that most locks are easy to pick or bypass but are still useful to block crimes of opportunity.


They realize that at Apple too. Face/Touch ID can be forcefully disabled for enterprise. However for an average Joe this is not a threat.


Can you require both face and password?


That would be an extremely bad idea. In that scenario, imagine FaceID fails to recognize you, now you can't get into your device. Currently if FaceID fails, you have passcode as an alternative way into the device.


Although fingerprint AND face/iris scan would probably add more confidence, with passcode as a reserve option.


No. As far as I know, there is no such device on the market. You can disable Face ID, but can't force it in combination with passcode, for example. Android allows you basically the same approach: any of the currently enabled methods. It is awkward though that there is no option to have that sort of 2FA for mobile devices, where at least two methods would be required, or strictly specified ones.


That something else is your device. Biometrics should never be used on remote systems.


Cool that they took the time to explore the limits of it, but FaceID is about convenience with security, not maximum security. Having physical access to the phone is still required, which is a pretty big obstacle for this kind of attack.

There is also a quick button squeeze you can do that requires passcode for the next unlock, so you can do that before you go to bed if you're really afraid someone is going to gain physical access to your device.


I wish both companies would allow us to have both PIN/PASS + biometric together and not strictly separately as it is now. At least as an option.


It would make a lot of sense for the new iphone actually, since with the PIN you're usually already looking at the screen.


I’d love to see more details. When TouchID was hacked, it caused a minor sensation. When details of the hack emerged, it turned out to be not a sensation at all, but a process that can hardly be replicated by real criminals.


What stops someone from taking the phone and "flash" it to your face, having the phone unlocked before you understand what's going on. Or do you have to hold the phone to the face while typing the password ?


The same thing that stops someone from jumping you and forcing you to unlock with Touch ID.


well, we only need a process to rotate faces now every month and a minimum complexity check because faces with only one nose are clearly not secure enough


"the phone shall recognize you even when you cover a half of your face". I wonder what half and why this works.


Probably because of clothes such as hats and scarves.


Nevermind. Should have read the article. I thought it was the same as the one I saw over the weekend.


Edit: the op asked if this could be done with the user knowing (I don't know why the question was removed).

"We might use smartphones with 3D scanning capabilities (like Sony XZ1); or set up a room with a 3D scanner, a few seconds is enough for the scanning (here's an example of a 3D scanning booth). An easier way is photograph-based, artists craft a thing from its photos. Take the nose of our mask for example, its creation is not complicated at all. "


I tried to delete it but you were too quick to answer so deletion was blocked. The question was clearly answered in the article.


I hope this does not result in me getting 3D face scanned as I pass through border control


I think the "self-service" passport gates in the EU already do this.


Actually quite a few countries already do this e.g. Australia.

Although I am not sure if it's based on your head or just scanning your iris.


Well that was already the case for fingerprints, so, nothing new there. Matter of time before a 3D representation of your face becomes mandatory in biometric IDs / passports too.


<here was a misleading comment>


He does no such thing. The passcode is never entered in front of the mask. They also explicitly state in their Q&A that the passcode was never entered in front of the mask.


I don't see any suggestion that this is what they did in the demonstration. In fact, quite the opposite is suggested:

"Q: Were you able to use the mask to unlock the iPhone immediately after freshly enrolling the real face? The reason I ask is that, according to Apple's whitepaper, Face ID will take additional captures over time and augment its enrolled Face ID data with the newly calculated mathematical representation. Can you describe precisely how you went about conducting this experiment?

A: It does not matter whether Apple Face ID "learns" new images of the face, since it will not affect the truth that Apple Face ID is not an effective security measure. However, we knew about this "learning", thus, to give a more persuasive result, we applied the strict rule of "absolutely no passcode" when crafting the mask."


It's conspicuous that the real face of the user of the iPhone isn't shown in the video or in photos on the site.


In the video, he shows the iPhone being unlocked with his own face at 1:06:

https://m.youtube.com/watch?v=i4YQRLQVixM


So it does. It seems that the iPhone is better at recognising faces than me at least.


On the bright side, this seems to confirm that one would be able to use FaceID if mugged and beaten black and blue.


finally a useful application for 3d printers


Wonder if this would work have Apple not relaxed their FaceID sensor requirements to ship the phones more quickly.


While I recall this rumour I thought it was widely discredited. Was there any actual evidence of this?


Apple denies they ever relaxed any sensor requirements.

Attacks will always be possible because FaceID can never be infinitely precise. Your face changes over time, even during the day. People wear glasses or sunglasses sometimes, and take them off sometimes. They grow facial hair, and shave it off. They wear makeup, and take it off. They pick up black eyes in jui-jitsu class.

There is a balance between maximum precision and maximum usability. Apple's task was to find that balance. This hacked up "exploit" does nothing but show they found the proper balance.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: