back to article Apple’s facial recognition: Well, it is more secure for the, er, sleeping user

Security watchers have given Apple’s introduction of facial recognition technology a cautious welcome. The newly unveiled iPhone X smartphone débuts an advanced facial recognition technology, called Face ID, which relies on Apple’s TrueDepth camera system. The technology features seven sensors and machine learning algorithms …

Silver badge
Facepalm

Biometrics

Repeat after me:

Biometrics do not replace passwords. Because when (not if) the item is replicated or system hacked you can't change your fingerprints/retina/face structure/<random biometric item>

Biometrics to use as a key or purchase verification is NEVER going to be a good idea.

P.S. I know how to defeat this

64
2
Silver badge

Re: Biometrics

I am by no means an expert but I'd go for:

- Bit of paper with a full-page photo, folded to the shape of the face that's on it?

- Bit of paper with a full-page photo, wrapped around a mannequin head.

- Bit of paper with a full-page photo, held over the attackers own face.

Sure, it might take a bit of squidging and folding to get it right but you only need to get in once.

I'm still struggling to work out why using face-rec to unlock a phone isn't viable just because the user is asleep. I don't buy that one at all. I mean, maybe a pair of Goggly Eyes might come into play to convince it that they have their eyes open, but I don't think we're talking hi-tech.

Biometrics are not authentication.

They say "I am shortly going to prove that I am this person" and then tell you which person that is. They DO NOT PROVE that you are that person. That's what actual authentication is.

16
1
Silver badge

Re: Biometrics

Simple. Think of all those people WITH BAD MEMORIES.

0
3
FIA

Re: Biometrics

I am by no means an expert but I'd go for:

[snip list]

The keynote implied they'd at least done some research into this. It mentioned they'd worked with film mask makers to attempt to mitigate this attack. They showed some very convincing looking masks, that were apparently used in the development process to train the recognition algorithms. I'm sure it's going to be fooled, but it did at least sound like they've considered the most obvious avenues of attack.

I'm still struggling to work out why using face-rec to unlock a phone isn't viable just because the user is asleep. I don't buy that one at all[...]

I didn't take this too seriously either, the same person said "Even if the new Apple algorithm for facial recognition cannot be fooled by photography, vertical self-videos can easily be found in the public domain - for example, on Instagram - and could be used to crack the device." Now, maybe they had access to prototype hardware, discovered and chose not to share this vuln with apple, or maybe they're not quite as knowledgeable as they think. (Or maybe 'possibly' just got omitted from the transcript?)

Biometrics are not authentication.

They say "I am shortly going to prove that I am this person" and then tell you which person that is. They DO NOT PROVE that you are that person. That's what actual authentication is.

This a thousand times over!

You're trading convenience for security.

So long as you know this it's fine, but I fear many people don't. (My fingerprint unlocks my phone, however it doesn't log me into my banking app no matter how many times the app tries to tell me I should let it).

10
0

Re: Biometrics

Think of all those twins. The evil one could steal the others phone!

20
0
Silver badge

Re: Biometrics

@FIA: People said the same about fingerprint readers, and then Gummi Bears foiled us all.

I'm not saying they haven't looked. I'm saying that the chances of them defeating that kind of attack are slim.

The precision to which you can measure a face depthmask, but still recognise it from any angle in any circumstance, with any hairstyle, etc. are very limited. Limited enough that it would be a viable attack still, no matter the amount of technology involved.

The fuzzy logic that must be involved alone gives you huge scope for simple tricks.

When the device is available to the general public, I give it a week or so before a viable bypass is found, with, say, even a low 10% success rate (hell, we can just have as many goes as we need to, really, just make them flux quick so they iPhone just thinks the videostream is one jerky stream of bad images rather than someone actually trying to brute-force the proper depth map).

I imagine it wouldn't be outside the realms of possibility to have some kind of overlay on the camera sensor that can actually "fake" any depth you like to the same kind of resolution, either, if it's just IR.

6
1
FIA

Re: Biometrics

@FIA: People said the same about fingerprint readers, and then Gummi Bears foiled us all.

I'm not saying they haven't looked. I'm saying that the chances of them defeating that kind of attack are slim.

Apologies, I mistook your comment for the usual 'I'll hold up a photo, I bet they never thought of that' comment that I've read a lot of; often written as though they assume people develop these things without even considering the issue. I was just alluding to the fact they had considered this.

I agree that it's a case of 'when' not 'if' though.

Like with any of these things it does just boil down to convenience vs security. A face or fingerprint is probably good enough for most people, and I suppose at least if I steal your phone but don't take a picture I probably can't then lift the access method from the device.

I'd be interested to know the failure tolerances though, I assume it does 'give up' after a while and enforce the use of the pin like it does with the fingerprint reader?

4
1

Re: Biometrics

- bit of paper wrapped round a gummi bear?

9
0
Silver badge
Childcatcher

Re: Biometrics

Biometrics do not replace passwords...

Precisely. Biometric measurements are fine as a method of identification, but not as a key. Who I am should establish my user ID, but it should never be used as my password.

10
0
Silver badge

Re: Biometrics

Identical twins come in two varieties, some are mirror images of each other, the rest are not. (Depends when in gestation the zygote splits.)

Some evil twins are going to need a shiny object.

1
0
Silver badge

Re: Biometrics

Also remember that the vast majority of smartphone users have such a strong preference for 'convenience' it's almost off the charts.

I'm actually (for once) more or less entirely positive about touch ID and face ID for 99.9% of phone users for this simple reason. I mean, the internet is full of comment threads like this about how touch ID can be 'defeated' using complex schemes involving gummy bears or whatever and face ID can maybe be defeated by, well, we don't know yet, but very likely something at least equally complex (given that Apple really does seem to have done some pretty solid work on making it resist the old 'use a photo' gag, etc.)

This is all fine and dandy and very nerdy, but rather heroically missing the point. How hard was it to break into most people's phones *before* touch ID? It was about as hard as 'pick up phone, swipe screen', because most people *just didn't bother locking their phones*. They don't want to bother typing a passphrase or swiping a pattern, it's effort they're just not willing to expend.

Even people who *did* lock their phones generally used a hilariously weak password or pattern and never, ever changed it. Getting into one of those is about as hard as 'try 1234' or 'shoulder surf for a few minutes until you see them enter the pattern, *then* steal the phone'.

It's not like the competition for touch ID / face ID is 'a world of people who lock their phones with strong passwords and change them regularly'. It's 'a world of people who don't lock their phones or use 1234 as the password'. Given this, all the arguing about Mission Impossible-style scenarios is a bit ludicrous. Touch ID vastly improved *practical* security in the real world by making it much more convenient to have at least *some* security, to the point where lots of people use it who never locked their phones before. That's a *good* thing.

It does seem to be the case that face ID isn't *really* better than touch ID in any particularly identifiable way but Apple chose to go with it because of the 'can't put a fingerprint sensor on the front' problem, and that's a decision you can reasonably question. But I don't really have a lot of time for 'well, some security researchers managed to compromise it with an awful lot of effort and time so it must be a terrible idea' dick-waving.

12
1

Re: Biometrics

Bit of paper with a full-page photo, folded to the shape of the face that's on it?

Years ago, in Japan, where they sell everything in vending machines, they started selling adult products (porn, sex toys, whatever). Of course, the government required that there be safeguards to prevent underage buyers from obtaining these products.

Of course, they did anyway, and when they pulled the vending machines and looked at the photos of the buyers of all these products, they noticed a staggering number of pop stars, actors, and actresses. Although the facial recognition software was very good at differentiating between a face that was 12 years old and one that was 19, it wasn't good at differentiating between a 32 year old actress and a photograph of a 32 year old actress.

6
0
Bronze badge

Re: Biometrics

As a convenient way of locking your phone it's quite good but then so is the fingerprint. However since the technology to read the face is here then so is the technology to simulate the face. Heck you could 3D print a face. It's not super secure.

1
2

Re: Biometrics

“Biometric measurements are fine as a method of identification, but not as a key. Who I am should establish my user ID, but it should never be used as my password.”

This seems to miss a LOT of people. I’ve heard suggestions that DNA would be good for secure authentication - which is a bit like having a password you write on post it notes and leave everywhere you go!

3
0
Anonymous Coward

Over Engineered. Give me an iPhone XE with just Pin.

It's completely over engineered for the sake of it. I'd happily take the iPhone XE without the fancy facial recognition and just a pin, with a smaller segment cut out the top of the display.

Absolutely no interest in using facial recognition. Even with touch ID, I still use a pin.

I'm sure the iPhone XE (like the iPhone SE) will happen soon enough.

2
0
Silver badge

Re: Biometrics

Bit of paper with a full-page photo, held over the attackers own face.

Every sign printing shop has a printer which can print on vinyl sticky film.

Similarly, every sign shop bod knows how to apply said film to a curved surface. All you need is a hair drier.

Unless the phone scans in UV and IR as well I do not quite see how you can defeat that.

0
1
Bronze badge

Re: 3D print a face?

Sure, right after you have 3D scanned the face of the person who's phone you've just pinched.

As with the 3D printer a finger print solution that has been suggested before, it seems to me the main problem with most of the ways that i have heard of to 'beat' these various methods of biometric security, involve having access to fairly complicated equipment, and time. Not things that your average mugger on the street have access to.

0
0

Re: Biometrics

Read up on it a bit more. FaceID incorporates an IR camera among others. It isn't easily fooled. Amazingly, Apple thought of all this when they made it.

That last line sarcasm, FYI.

0
0

Re: Biometrics

"P.S. I know how to defeat this"

As do I. Cut the poor bastard's face off when you steal his phone. It works for fingerprints and retinal scans, too.

Doing a life-like Hollywood SFX mask of the face might work, as in "Mission Impossible" movies. If you put it over your own face to fool the heat sensors.

0
0

Re: Biometrics

If they really can not put a fingerprint sensor on the front, due to the screen filling that region, why not put one on the *back*?

Or am I missing something obvious?

0
0
Silver badge
FAIL

Like fingerprints

Cops in the US can force you to unlock your phone without a warrant if it can be unlocked using biometrics. But Apple has now made it so they can just hold it up to your face, alive or dead (with eyes open). Great...

41
1
Silver badge

Re: Like fingerprints

No different to fingerprints. Get you to touch ANYTHING (not even the phone) and they could unlock your phone.

This is why we do not use biometrics as authentication, only identification.

Identification = "I'm claiming to be Mr X"

Authentication = "I have proven that I am that person".

21
0
Silver badge

Re: Like fingerprints

Then how do you deal with STOLEN credentials?

1
1
Silver badge

Re: Like fingerprints

> Cops in the US can force you to unlock your phone without a warrant if it can be unlocked using biometrics. But Apple has now made it so they can just hold it up to your face, alive or dead (with eyes open). Great...

Biometric ID is disabled if you tap a button five times, on the latest iOS. Biometric unlocking is also also disabled if the phone hasn't been unlocked for a period of time, or has been power cycled. Additionally, even an unlocked phone won't talk to a computer it's plugged into without the passcode.

It's strange, but it's almost as if Apple have put some thought into this...

12
3
Silver badge

Re: Like fingerprints

Fun prank.

Press everyone's button five times, and see if they remember what the passcode they set up months ago was supposed to be....

20
3
Anonymous Coward

Re: Like fingerprints

It's strange, but it's almost as if Apple have put some thought into this...

Sure they put some thought into this - a lot of marketing thought. Like Cook's lame painting of why Apple took years to go with OLED screens. (Bought from Samsung.) And why Apple took a long time after Samsung to implement facial recognition, or wireless charging, or took a long time after Android to implement voice commands. Yet marketing each is if Apple were first.

I don't have a problem with Apple's products. I have a problem with Apple's lack of honesty.

22
2
Silver badge
Joke

Re: Like fingerprints

they can just hold it up to your face, alive or dead (with eyes open).

Thank fuck for that. I was trying to figure how I'd get a victim to unlock their 'X' while they were screaming and all wide-eyed in terror. Thought I might have to choose a new line of business for a while there.

7
0

Re: Like fingerprints

"Yet marketing each is if Apple were first."

They've been doing that kind of thing for decades, such as when they proudly proclaimed that their new Power Mac was the first RISC home computer.

No it fucking wasn't.

12
0
Silver badge

@Lee D - fun prank

Touch ID requires that you re-authenticate with your password every 48 hours (I think it is supposed to be that, though I think I've seen it sometimes go a bit longer) so it isn't like you have to worry about forgetting your password even if you haven't restarted your phone (which also requires the password) in a long time.

I have to imagine Face ID works the same way.

3
1

Re: Like fingerprints

This is why recent Android revisions have required PIN entry after a restart; previously the fingerprint was enough. If you obey the rules and shut your phone down on take-off and landing the US border control cannot open your (Android) phone. There is a risk because they have jurisdiction within 200 miles of the border, but this is a border control issue; every other law enforcement authority in the US requires a search warrant first.

John Bowler

0
0

Re: Like fingerprints

I agree with that. Apple had to be dragged kicking and screaming into environmental responsibility, then you'd think they invented it. Likewise they swore the single button mouse was so much better. I believed them, until of course I got a two button mouse.

2
0
Silver badge

Re: Like fingerprints

When the Mac was introduced in 1984 nobody had been exposed to a mouse before, so a single button probably made sense to avoid complication. The problem it became almost a religious dogma for Apple even after the whole world knew how to use a mouse and software was becoming ever more complex and could benefit from the extra contexts multiple mouse buttons provided.

2
2

Re: Like fingerprints

Sure, but since at least two cops will have gooned at it already it will revert to requiring your pass code by the time they have you in a headlock.

0
0

I can't help wondering what happens when the owner dies. I suppose they'll just bury the gadgets along with the body, giving lie to the saying 'you can't take it with you'.

5
0
Silver badge

Same thing that happens when the owner dies and doesn't leave the password behind. You don't need the dead person's face, their password will do as well. If they didn't leave you their password it doesn't make it any easier if they weren't using biometrics.

1
0

Apple requires you to have a passcode in addition to TouchID/FaceID

0
0
Anonymous Coward

Has anyone tested it with black people?

35
4

A scary thought.

This uses a projected IR dot pattern for the 3d, in theory I could see that very dark black skin may absorb enough of the IR so that it isn't able to sense the depth, the same way that some IR sensor hand dryers/faucets wont work for black skin..

You have to hope Apple have tested this with many different skin types and makeup.

13
1

Or just a reference to the awesome show "Better Off Ted". Well worth seeking out if you haven't seen it.

"Veridian Dynamics. Diversity: just the thought of it makes these white people smile"

4
0
Silver badge

Dark skin

That's a good point, Apple would be in for some MAJOR criticism if that turned out to be a problem! I don't think makeup is much of a concern compared to that, since wearing makeup is a choice like wearing giant sunglasses or a ski mask.

2
1
Bronze badge

Or just a reference to the awesome show "Better Off Ted".

Loved that show, I'm still perplexed to this day why it didn't have a longer run (but then, I feel that way about Firefly too).

0
0
Silver badge

Currently my phone is lying flat on my desk, I can unlock it without picking it up it with my finger or a pin and check the screen for notifications. How is a system that requires picking it up to be scanned by its camera(s) making my life easier?

Android phones have had face unlock for a while, I don't think it's concerns over the security that have prevented its widespread adoption, more the fact it's less convenient that any other method.

24
0

Which was my first thought ... OOOOOHHHHH Apple 10 Face recognition!!!! ,Wireless charging!!!! better camera!!!!!! or what Android has been doing already for 2 years

But you know the fanboys will be lining up to pay through the nose.

Fools and their money.....

15
4
Silver badge
FAIL

Odd, could swear blind those Nokia's ran Windows Phone.

5
0

<blockquote>Currently my phone is lying flat on my desk, I can unlock it without picking it up it with my finger or a pin and check the screen for notifications. How is a system that requires picking it up to be scanned by its camera(s) making my life easier?</blockquote>

I think you'll still be able to do this, just tap the screen. You might have to raise it to interact with those notifications but according to the keynote it looks like you'll definitely be able to see them without picking it up.

1
0

My 2 - 3 year old Lumia 950 XL (stop laughing at the back!) has Qi and face unlock.

Sammy nailed edge screens a couple of years ago.

So what's new other than wanky emojis?

And £1000! A fool and their money.. .

20
0

I had a Nokia Lumia 820 in 2012, that had Qi wireless charging...

0
0
Anonymous Coward

I agree with all comments below

7
0
Anonymous Coward

Jaffa cakes are biscuits

Muffins are round bread rolls.

Marmite is lovely.

Theresa May is the greatest leader.

Trump is super cool.

9
4
Anonymous Coward

I was with you until said Theresa May is the greatest leader...

8
2

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017