In its quest for hardware perfection, Apple can’t seem to resist testing the balance between making things easy and making them secure. Sure, a six-digit passcode is virtually impossible for a thief to crack before his repeated attempts lock the phone, but it demands an unacceptable fraction of a second for you to tap it out. Even TouchID requires a home button that Apple has deemed unsightly. Now, in its continuing war on inconvenience, Apple has replaced TouchID in its new flagship iPhone X with FaceID, a system where your face acts as password. In doing so, it’s about to give an unproven biometric security technology its biggest field test yet.
In theory, FaceID simply requires you to look at your phone, and it will recognize you in a split-second and unlock itself. FaceID will be integrated beyond the lock screen, too, in everything from downloading new apps to making payments with Apple Pay.
“With the iPhone X, your iPhone is locked until you look at it and it recognizes you. Nothing has ever been more simple, natural and effortless,” Apple exec Phil Schiller effused in the launch keynote. “This is the future of how we’ll unlock our smartphones and protect our sensitive information.”
If so, Apple’s version will have to overcome the deficiencies of the past. And while FaceID appears to improve on previous implementations in key ways, using your face as the sole key to your device’s contents presents larger issues that may be harder to overcome.
Facial recognition has long been notoriously easy to defeat. In 2009, for instance, security researchers showed that they could fool face-based login systems for a variety of laptops with nothing more than a printed photo of the laptop’s owner held in front of its camera. In 2015, Popular Science writer Dan Moren beat an Alibaba facial recognition system just by using a video that included himself blinking.
Hacking FaceID, though, won’t be nearly that simple. The new iPhone uses an infrared system Apple calls TrueDepth to project a grid of 30,000 invisible light dots onto the user’s face. An infrared camera then captures the distortion of that grid as the user rotates his or her head to map the face’s three-dimensional shape—a trick similar to the kind now used to capture actors’ faces to morph them into animated and digitally enhanced characters.
That 3-D shape should prove vastly tougher for anyone to spoof than the simpler image recognition previous systems have deployed. But not impossible, insists Marc Rogers, a security researcher at Cloudflare who was one of the first to demonstrate spoofing a fake fingerprint to defeat TouchID. Rogers says he has no doubt that he—or at least someone—will crack FaceID, too. In an interview ahead of Apple’s FaceID’ announcement, Rogers suggested that 3-D printing a target victim’s head and showing it to their phone might be all it takes. “The moment someone can reproduce your face in a way that can be played back to the computer, you’ve got a problem,” Roger says. “I’d love to start by 3-D-printing my own head and seeing if I can use that to unlock it.”
After all, even three-dimensional facial recognition systems have been spoofed before: Two years ago Berlin-based SR Labs used a plaster mould of a test subject’s face to cast a model that beat Microsoft’s Hello facial recognition system. That set-up was implemented in multiple brands of laptops, and used the same sort of infrared depth-sensing cameras. The group didn’t publish what kind of material it used in that mould, but SR Labs founder Karsten Nohl notes that it mimicked not only the shape of the target’s face but also the light-reflective properties of skin. “It’s definitely harder than spoofing a fingerprint,” says Nohl.
In his keynote presentation, Apple’s Schiller suggested that even that kind of spoofing won’t work against FaceID. He showed a photo of minutely detailed masks created by Hollywood special-effects consultants that he said Apple’s used to test the feature. Schiller didn’t, however, go as far as to claim that none of those masks defeated the system.
Big questions remain unanswered about FaceID’s security, and it won’t be clear how secure the system really is until outside troublemakers like Rogers or Nohl get a chance to publicly test it. It’s possible, for instance, that Apple’s facial recognition technology uses color-based image-recognition in its detection scheme, which would require any simulated face designed to spoof the system to be meticulously colored, too. But on that point Rogers says FaceID may not actually measure color at all, since it requires processing and depends on variables like the lighting in the room, your health, and whether you’ve recently gotten a tan or a sunburn. “Color doesn’t add that much value and it’s very variable,” Rogers argues.
Regardless of the specific technological approach, the very notion of using your face as the key to your digital secrets presents some fundamental problems. Unlike a passcode, your face can’t easily change. If someone does find a way to spoof it—like the SR Labs method or the 3-D printing Rogers proposes—they can spoof it forever. (As Schiller conceded in his keynote, any identical twins will also need to deeply consider how much they trust their sibling.)
Second, it’s very hard to hide your face from someone who wants to coerce you to unlock your phone, like a mugger, a customs agent, or a policeman who has just arrested you. In some cases, criminal suspects in the US can invoke the Fifth Amendment protections from self-incrimination to refuse to give up their phone’s passcode. That same protection doesn’t apply to your face. Apple says that you’ll need to look directly into the screen to unlock FaceID, so it won’t be easy to trick someone into triggering it, but the cops could simply lock you up for contempt of court until your eyes cooperate.
Both of those issues apply for TouchID, too. But FaceID introduces a new problem that TouchID has never had: Your face sits out in the open, displayed in public, and well-documented across social media platforms. Using it as a secret key is a little like writing your PIN on a Post-It note, slapping it on your forehead, and going for a stroll. Even photos on Instagram and Facebook might be enough to compromise your control of your face as a login mechanism. Researchers at the University of North Carolina last year showed that they could use Facebook photos alone to reconstruct a 3-D virtual model of someone’s face that could defeat five different facial-recognition applications they tested it against, with between 55 and 85 percent success rates.
None of that makes FaceID useless or broken—far from it. For the average iPhone owner, the difficulty of spoofing FaceID and also gaining physical access to a target iPhone will likely make any attack on it a monumental waste of effort, says Rich Mogull, a security analyst who has long focused on Apple. “If you have to 3-D print a model of someone’s face to defeat this, that’s probably an acceptable risk for most of the population,” says Mogull. “If that’s the economic cost to break into one of these devices, we’re ok.”
That said, he adds that those with more security sensitivities should simply turn it off—and TouchID too, for that matter. “If I were an intelligence agent, I wouldn’t turn on any biometric,” Mogull says.
That caveat isn’t an all-or-nothing proposition. Since you can enable or disable FaceID for specific applications, Rogers suggests that cautious users can, for instance, choose to use it for unlocking the phone but not for payments. And Apple seems to have itself acknowledged that its biometrics aren’t an infallible solution. “There’s no perfect system,” Schiller said during Tuesday’s presentation, caveating that another face could unlock the iPhone X one in a million times—although that’s among faces chosen at random, not ones carefully designed to mimic yours.
‘If I were an intelligence agent, I wouldn’t turn on any biometrics.” —Security Analyst Rich Mogull
More concrete evidence that Apple recognizes the limitations of FaceID can be found in two other new features in iOS 11. One requires the user to enter the phone’s passcode to trust a connection to a new computer, making it far harder to extract the data from an unlocked phone. The other is an “SOS mode” that allows the user to hit the home or power button five times to disable TouchID or FaceID, depending on the phone’s model.
Those features show that even Apple understands the need for layers of security above and beyond FaceID. And Rogers warns that no iPhone owner should harbor any illusion that their phone’s facial recognition, as slick as it seems, isn’t a security compromise in exchange for convenience. “Apple always wants its user experience to be delightful,” says Rogers. “In the security world that means you’re going to have accept certain limitations.” And if those limitations mean your most secret of secrets get a little less secure every time someone tags you Facebook, perhaps you should consider using an old-fashioned passcode instead.