Apple FaceID – Facing up to Apple’s new Security Challenges

One of the biggest announcements tonight at Apple’s Special Event to launch the iPhone X was the introduction of FaceID. This is the replacement of the fingerprint login TouchID on the iPhone X with the face recognition system, known as FaceID. The use of a face biometric however is quite different from fingerprint biometrics in both its use and security features.

Based on other reports about the development of the technology, this change was driven by the inability of new OLED to get a fingerprint sensor working behind the glass (as there is no home button on the iPhone X). The change was therefore forced by technology limitation, rather than a real desire to move away from fingerprint technology. Based on what was shown during the Apple event, I have little doubt that the technology will be user-friendly and well designed at ‘first glance’ (although, it’s interesting to note that the first attempt at using it during the launch didn’t unlock the phone!).

The aspect of the technology that will be of most interest to biometric professionals will be the abilities of the new 3D depth camera (TrueDepth). This system appears to work like the Microsoft Kinect, by projecting an infrared pattern in order to measure the 3D face structure. The extra level of security this will provide to the face recognition unlock feature will depend on the depth accuracy. I’d have to say that is currently questionable. It is also the case that infrared is directly affected by sunlight, so it will be interesting to see how the feature works in an outside setting.

In particular, there are a ranges of security concerns that need to be addressed. The claim during the presentation was that the accuracy comparison (the chance of someone else being access your phone) to TouchID was 1:50,000 for touch and 1:1,000,000 for FaceID. This is a substantial claim that I suspect will soon turn out to be a significant overstatement. As a start, your face is not a private commodity (unlike your fingerprints). A high-resolution photograph of most people’s faces can be easily found online.

Just like the fingerprint technology, I predict it won’t take long for the FaceID to be hacked. The significant difference being that most people don’t have their fingerprint images online. The techniques for producing fake fingerprints are also more involved than those need to produce fake facial images.

TouchID is currently relied on to manage security risks across a wide range of applications. Despite some vulnerability concerns in practice, TouchID has provided a good security model without the need for additional risk management. This is likely not to be the case with the new FaceID. Application developers and users will need to be aware of the increased security risks.

Two issues briefly covered at the launch were the vulnerability to masks (the claim is that FaceID can detect these, but from the work that Biometix has done we know this is a very hard to solve) and for people that look similar (for example, that ‘share a genetic relationship’). I expect these issues will get a lot of coverage once people start using the new iPhone X.

On a related note, there is a serious security vulnerability facing many government departments using facial biometrics, known as morphing attacks. This is where two face images from different people are merged together to produce an image that can be used to recognise either person. Biometix is releasing a free morph testing set in the coming days to allow researchers and users to test their systems’ vulnerability to this type of attack.

Ted Dunstone
Biometric and Security Industry Executive