Should You Be Worried That FaceID was Hacked?

November 14, 2017

 

No doubt you've seen the news already: Hackers are claiming they've overcome Apple's new FaceID protocols with a 3D-printed mask.  Since FaceID replaces TouchID on the iPhoneX and will no doubt be a big feature in iPhones going forward - and since similar technology will probably end up as a standard in other phone platforms and even laptops/desktops soon enough - should you be worried?  No, not really.  Let's discuss FaceID and why this news isn't as dire as it sounds on ... wait for it ... its face.

For those not in the know (or those who just avoid Apple press releases like the plague), FaceID is the technology implemented on the iPhoneX to replace TouchID - where you could use your fingerprint to unlock the phone and authorize payments and other functions securely. FaceID uses a scan of your face via multiple sensors on the front of the phone to generate a unique identification based on the topology of your eyes, nose, and other facial features.  The technology isn't really new - multiple vendors have offered it on various devices for years - but the fact that Apple adopted it into one of the hottest phone releases of the last few years made news - and made waves.   

There are concerns with FaceID, to be sure.  Since you don't have to put in a passcode/passphrase and don't have to be touching the phone yourself for someone to unlock it (as you would have to do for TouchID); security analysts were concerned that a 3rd-Party could point the phone at your face and get it unlocked without your direct input.  While unlikely, it is possible that this situation could happen.  Also note that various things like lighting conditions to eyewear could screw up the face-print, though Apple says they've taken those into account and that they don't impact FaceID or its ability to identify your face even if you're wearing glasses.

That being said, advanced printouts - as it turns out - can indeed create a facial facsimile that can fool FaceID. Don't panic, however, as it's highly unlikely you'll ever be impacted by the technique used by the team that did it.  First off, while the manufacturing materials and methods used can be acquired by just about anyone, it's not as simple as taking a photo and generating a FaceID-Beating doppelgänger.  The hackers had to create a detailed scan of the actual face of the person used for the experiment.  Basically, they had to gather all the data-points and information that FaceID itself uses, and that's no easy feat.  Detailed scans of your face would be quite noticeable if you're awake and take too long to finish before you moved or woke up if you're asleep.  So, you won't get your face scanned and stolen when you're not looking or anything like that.

Secondly, the fake face needs to be held in front of the iPhone itself before it will unlock.  So even if someone managed to scan your face, create a 3D-Printed frame, detailed 2D printouts of the various data points, and mold your nose - it's unlikely you wouldn't notice someone holding up a facsimile of your face in front of your phone.  Note that if someone steals your phone, they aren't likely to also have a scan of your face handy; so you're safe there too.  In short, someone would need to have a lot of time and a really willing "victim" to re-create this - two things that generally are not both found amongst the population of people trying to avoid having their phones unlocked by criminals; or by the criminals themselves.  The bad guys want to act quickly and not draw the attention of the victim by, for example, holding a 3D scanner at their face for 20 minutes. 

It's also important to point out that FaceID is in its first generation release.  TouchID was found to have several security holes when it was first released, but they were quickly fixed with a combination of software updates and new hardware over time.  I suspect FaceID will go through the same growth process and reach the point where it is both as secure and as reliable as TouchID is now.  Until then, you can always set a complex passcode (more than 4-digits, no dictionary words, etc. - you know the drill) and disable FaceID if you're truly concerned.  Or, you know, don't stand around staring into scanning cameras for several minutes at a shot - either way you're safe.

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!