Apple recently showcased the brand-new iPhone X at the Steve Jobs Theater in California, complete with edge-to-edge display and a new facial recognition system dubbed Face ID. Apple claims that Face ID is incredibly accurate and secure, and states that there’s a 1 in 1,000,000 chance of a passer-by on the street gaining access, compared to 1 in 50,000 with Touch ID.
But even with the high-end TrueDepth camera system, some Apple fans aren’t convinced that Face ID is more secure than Touch ID. So, is Face ID secure? We look at all the evidence below. We've also compared Touch ID and Face ID for those new to the world of Apple security measures.
How secure is Face ID?
So, how secure can using your face as a way to access your phone and make payments? Apple claims that it’s an incredibly sophisticated system that will take a lot to be fooled, but past failures from other manufacturers and comments from security experts seem to disagree.
Apple on Face ID
First up, let’s explain how Apple’s Face ID works and what Apple says about the technology. The magic behind the feature is due to the TrueDepth camera system present on the iPhone X, comprised of a flood illuminator, IR camera and a dot projector alongside standard components like the front camera, speaker and proximity sensor.
The flood illuminator detects your face, even in the dark, before capturing an image with the IR camera and projecting 30,000 dots onto your face to take a depth reading. All this is analysed using Apple’s A11 Bionic chipset capable of 600 billion operations per second, and is compared with credentials stored on the iPhone.
While it sounds cool, consumers are worried that Apple’s Face ID can be fooled by photos and the like. Apple, rather obviously, claims otherwise. In fact, the company claims that there’s a 1 in 1,000,000 chance that a random person in the street will be able to unlock your Face ID-protected iPhone.
That is unless you’ve got an identical twin – even Apple’s sophisticated tech isn’t that good. So, if it can’t tell the difference between twins, why should people put trust in Apple’s facial recognition system?
Apple claims that the Face ID system can’t be fooled by photos, videos or any other kind of 2D medium thanks to the way faces are measured in 3D. The company has even worked with high-end Hollywood mask makers to make sure that even the most detailed, life-like masks wouldn’t fool it – although the company didn’t mention during the press conference whether the masks actually fooled it in the end.
Previous facial recognition fails
While Apple seems confident about Face ID’s abilities, there have been many manufacturers with similar claims in the past – and they never went well.
Let’s start with the basics. Android had the option for facial recognition on the lockscreen way back in 2011, and could be easily beaten with a photo. Even the updated version of the Face Unlock system that required users to blink before it unlocked was shown to be unreliable after a bit of Photoshop magic.
But while Apple’s hardware is designed specifically for facial recognition, the Android Face Unlock system utilised whatever hardware was on the plethora of Android devices at that time – none with tech as sophisticated as Apple, so you can’t expect the same results.
It was a similar story with Alibaba’s facial recognintion system. Back in 2015, Popular Science writer Dan Moren managed to beat the system simply by using a video that included himself blinking, but only because the system couldn’t detect depth.
That’s not to say that depth-sensing facial recognition systems are perfect, either. Back in 2015, Berlin-based SR Labs used a plaster mold of a test subject’s face to cast a model that managed to beat Microsoft’s Hello facial recognition system. The system is available in a range of laptops that use similar infrared depth-sensing cameras as Apple.
Admittedly, the group didn’t publish which kind of material it used in the mold, but the founder Karsten Nohl noted that it also mimicked the light-reflective properties of the skin as well as the shape of the face, although “it’s definitely harder than spoofing a fingerprint”.
As mentioned above, Apple has worked with high-end mask makers to try and make the system intelligent enough to spot a fake (no matter how good) but whether it has succeeded, we’re yet to find out. We imagine there will be many security experts putting Face ID to the test once readily available in November, so we haven’t got long to find out the final verdict from the security community.
Security experts on Face ID
But while Face ID is yet to be tested by security experts around the world, that hasn’t stopped some from commenting on the system.
Marc Rogers, a security researcher at Cloudflare claims that Face ID isn’t impossible to crack. Cloudflare was one of the first companies to demonstrate that Apple’s Touch ID tech wasn’t perfect and managed to spoof a fake fingerprint to defeat the system, so the company knows what it’s talking about.
Talking about the system ahead of its announcement at Apple’s September 2017 event, Rogers suggested that 3D printing a target victim’s head and showing that to their iPhone X might be all it takes to gain access. “The moment someone can reproduce your face in a way that can be played back to the computer, you’ve got a problem," Roger says.
“I’d love to start by 3-D-printing my own head and seeing if I can use that to unlock it."
Rogers isn’t the only security expert to think about the 3D printing as a potential workaround for Face ID – Prof. Kevin Curran, Professor of Cyber Security at Ulster University also suggests that it could be a potential route for thieves to go down.
“Scans of our fingerprint are not out there on the web, yet images of our faces state back at us from multiple social media profiles. Will someone 3D print your face and be able unlock your phone?”
Again, Apple has worked with high-end mask companies to make sure their highly-detailed masks wouldn’t work with Face ID, so we can’t imagine a standard 3D-printed head will be able to achieve the desired effects but hey – we’re happy to be proven wrong.