Apple recently unveiled the iPhone X, a more premium (and more expensive) version of the iPhone 8 that boasts a few additional features, including a “FaceID” face authentication system meant to replace the fingerprint-based Touch ID. In a recent post and paper, Apple revealed more details about the feature's security, and how it may be better than previous (failed) attempts at doing face unlocking properly.
Face Unlocking: A History Of Failure
Face authentication technology has proven to be one of the most unreliable authentication methods, especially in the mobile industry. Almost every time Google or an Android OEM would launch (and re-launch) such a feature, the system was bypassed quickly, often in a matter of days and with something as simple as using a 2D photo of the phone’s owner.
Even one of Samsung’s latest flagship smartphones, the Galaxy S8, suffered from the same problem recently, despite the issue of 2D photos bypassing face authentication systems being known for years.
Research has also shown that systems using 3D profiles of someone’s face could also be bypassed, so it’s no surprise that many are skeptical about Apple’s new 3D Face ID system.
Face ID’s Security Features
Face ID brings a few new security features that should protect it against being easily bypassed, but ultimately it remains to be seen if it can withstand attacks from security researchers, malicious hackers, and law enforcement trying to access a phone without the owner’s permission.
One of the additional protections that many face unlocking systems don’t use is an infrared camera. This should make the system more secure because you can’t extract an infrared profile from someone’s photos. It should also eliminate some issues with trying to unlock the device in low-light environments.
Another one is creating a depth map of your face, using the “TrueDepth” camera, comprised of 30,000 data points. The system uses an algorithm only Apple knows, so presumably if anyone wants to spoof someone’s face, they’d first have to reverse engineer that algorithm.
The depth map and infrared image are then transformed into a mathematical representation that is compared to the originally enrolled facial data, every time the user unlocks the device. Both the original data and the later mathematical representations are encrypted with a key that’s stored in the Secure Enclave.
According to Apple, Face ID has a False Acceptance Rate (the probability that a random person will unlock the device) of 1:1,000,000 compared to “only” 1:50,000 for the fingerprint-based Touch ID. However, this doesn’t necessarily mean that Touch ID is 20x more secure than Touch ID. If someone wants to break into your phone, they may already have your online photos or a 3D profile from public surveillance cameras, so they will build their spoofed profile from that data, rather than from random pictures of people.
Face ID also uses machine learning to detect when someone tries to spoof the system, such as with a mask or some other 3D profile of your face that doesn’t have all the data the system requires to identify a real face.
Face ID is also attention-aware, which means that someone can’t unlock your device without you looking straight at the camera with the eyes open.
Additional Protections
To use Face ID, you must first set-up the iPhone’s passcode. The password is also required in the following situations:
The device has just been turned on or restarted.The device hasn’t been unlocked for more than 48 hours.The passcode hasn’t been used to unlock the device in the last six and a half days and Face ID hasn't unlocked the device in the last 4 hours.The device has received a remote lock command.After five unsuccessful attempts to match a face.After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.
The last one specifically could be used before going through an airport’s security line or when stopped by cops, for example, if you fear that they may physically force you to unlock your device. Typically, password-protected devices are safer in courts than devices locked via biometrics.
Additionally, if the phone is lost or stolen, you can remotely prevent anyone from trying to unlock the device using the “Lost Mode” provided by Apple’s Find My iPhone service. This should further guarantee that someone can’t bypass Face ID by stealing your phone and then trying to spoof your face (if the thief is able to bypass all the other protections in the first place).
The TrueDepth camera also comes with tamper-detection features. The Face ID system may be disabled for safety reasons if the tampering detection is activated.
Above And Beyond What’s Required
Face unlocking systems have had a poor track record, which may be why Apple seems to have gone above and beyond what is needed for such a system to function, to ensure that it can’t be bypassed. This can’t be said by the far too many manufacturers that continue to provide users with presumably safe face authentication systems that can then be disabled with a simple 2D photo of the device’s owner.
People interested in using face unlocking systems for their mobile devices should recognize that not all such systems are equal. In fact, most of them are not secure, unless their manufacturers also use additional hardware (such as infrared and depth cameras) and additional anti-spoofing algorithms and protections to ensure it’s all but impossible to bypass them. (Which is, of course, exactly what Apple has done with the iPhone X.)
In the meantime, simple front-facing cameras being used for face unlocking should probably be considered insecure, and you should stick to fingerprint authentication or PINs and passphrases.
