Might the iPhone X open with a photograph of your face?

[xrunner]

Was debating this with some friends. Certainly if you lost it and a random person found it they would not have your photo, but what if an untrustworthy family member or girlfriend or boyfriend wanted to break into your iPhone X? Could they hold your photograph up to it and open the phone?

[Assafl]

My understanding was that instead of taking a 2d shot and comparing it (which both leads to obvious attacks and to false negatives as you age or become hirsute) - they simply looked at the face in 3d.

They simply build a 3d model as you move your noggin and check if the face topography matches.

A potential attack would be to use a Madame Tussaud style 3d mannequin. But I guess even that can be secured against by requiring facial features like eyes and lips to move. So one could use animatronics to move a Madame Tussaud mannequin.

[tooki]

Was debating this with some friends. Certainly if you lost it and a random person found it they would not have your photo, but what if an untrustworthy family member or girlfriend or boyfriend wanted to break into your iPhone X? Could they hold your photograph up to it and open the phone?

Watch the keynote. They expressly state that they designed it to not only reject photos, but to reject even cinema-grade masks they had made by Hollywood fx artists.

Additionally, it won't work without a gaze, apparently. So it won't unlock if it's looking at you, but you're not looking back.

In the keynote, they said that in testing, they arrived at a 1 in 1 million chance of false positives with it (compared to 1 in 50K with Touch ID), but that the error rate rises with close relatives and "evil twins" (with slide of Spock and his Mirror Universe evil twin). So I suspect that actual identical twins who haven't diverged due to injury or weight gain/loss probably have a high chance of being able to unlock their phones.

Indeed, it looks like it uses a rudimentary 3D camera to map the face. The infrared "dot projector" looks similar in concept to the laser holographic autofocus Sony used in some early-2000s digital cameras, which projected a diamondplate-like pattern of red stripes that the AF system could use to focus very quickly even with zero ambient light. (I have no idea why that system wasn't used more. It worked beautifully.)

[Mr. Scram]

It wouldn't be the first camera that can be fooled with a photograph, though Microsoft's Surface range has shown that pretty good security is possible. That has been tested with twins and not even that fooled the Surface cameras.

I think they use a mixture of 2D, 3D and infrared to record unique vein patterns.

[xrunner]

Well, you can be sure as the sun rises if I ever got an iPhone X I'd try like hell to get it to open on a photograph of myself. It's my nature to do so. 

[RGB255_0_0]

They have to get it working on the owner's own face before writing about others breaking it.

[mcinque]

They have to get it working on the owner's own face before writing about others breaking it.

[janoc]

Indeed, it looks like it uses a rudimentary 3D camera to map the face. The infrared "dot projector" looks similar in concept to the laser holographic autofocus Sony used in some early-2000s digital cameras, which projected a diamondplate-like pattern of red stripes that the AF system could use to focus very quickly even with zero ambient light. (I have no idea why that system wasn't used more. It worked beautifully.)

The infrared dot projector is very likely part of the Primesense depth sensing technology (the other part is an IR camera) that Apple has bought some years ago. Aka the same thing as the first Kinect  from Microsoft (the newer Kinects work on a different principle).

If it is using really that then good luck making it work in sunlight or brightly lit rooms, for example. The original Kinect was hopeless in such situations, because the dot patterns projected by the laser projector got washed out by the ambient infrared light and the camera couldn't capture them.

[ThunderCat]

If memory serves, the phone has to have been unlocked at least once that day with the passcode before using the facial recognition. Can anyone confirm?

Great thread.

[tooki]

If memory serves, the phone has to have been unlocked at least once that day with the passcode before using the facial recognition. Can anyone confirm?

Great thread.

I don't know how it is with Face ID, but Touch ID requires the passcode every 48h, as well as after 5 failed fingerprint scans. (Oddly, Touch ID on Mac does not require the account password every 48h, which tripped up a friend of mine who got so used to Touch ID on his MacBook that he forgot the password  )

[tooki]

Indeed, it looks like it uses a rudimentary 3D camera to map the face. The infrared "dot projector" looks similar in concept to the laser holographic autofocus Sony used in some early-2000s digital cameras, which projected a diamondplate-like pattern of red stripes that the AF system could use to focus very quickly even with zero ambient light. (I have no idea why that system wasn't used more. It worked beautifully.)

The infrared dot projector is very likely part of the Primesense depth sensing technology (the other part is an IR camera) that Apple has bought some years ago. Aka the same thing as the first Kinect  from Microsoft (the newer Kinects work on a different principle).

If it is using really that then good luck making it work in sunlight or brightly lit rooms, for example. The original Kinect was hopeless in such situations, because the dot patterns projected by the laser projector got washed out by the ambient infrared light and the camera couldn't capture them.

Good question. Given Apple's camera and image processing prowess, and the fact that they're based in sunny California, and how crazy brightly lit most Apple retail stores are, I am quite confident that they've tested it in very bright situations and got it to work properly.

[Halcyon]

I wonder how long it will be before government agencies apply to Apple, Google and all the rest of them with a request to "find this person for us" and have it match your face with your ID, fingerprint, GPS location, web history, etc... etc...

[tooki]

I wonder how long it will be before government agencies apply to Apple, Google and all the rest of them with a request to "find this person for us" and have it match your face with your ID, fingerprint, GPS location, web history, etc... etc...

That's why, just as with Touch ID, Face ID doesn't store the facial map outside of the quasi-write-only Secure Enclave security processor inside the SOC. The Secure Enclave receives the data from the Face ID sensors and then compares internally and simply delivers the passcode to the OS if it matches. iOS itself has no access to the stored facial map.

[Kjelt]

It looks like that phone is scanning 24/7. The demo seems to have failed due to the fact that other people have moved and placed it during staging setup prior to the presentation.

“People were handling the device for stage demo ahead of time,” says a rep, “and didn’t realize Face ID was trying to authenticate their face. After failing a number of times, because they weren’t Craig, the iPhone did what it was designed to do, which was to require his passcode.” In other words, “Face ID worked as it was designed to.”

Pretty rediculous IMO , do you think those people were directly looking into the camera, probably not, just transporting the thing it starts to look around to see if it can recognize your face, hmmmmmmm

[tooki]

It takes only a glance. Not an extended stare. Either way, not sure why you think that's ridiculous. Face ID, like Touch ID, is just a biometric proxy for your passcode. It makes absolute sense to err on the side of a false negative, and to reject brute force unlock attempts.

[Kjelt]

It takes only a glance. Not an extended stare. Either way, not sure why you think that's ridiculous. Face ID, like Touch ID, is just a biometric proxy for your passcode. It makes absolute sense to err on the side of a false negative, and to reject brute force unlock attempts.

Because it is doing it 24/7 not only when you want to log in. It looks like it is scanning for face continuously, if it is lying on the desk or in the car, drains the battery and as the demo showed it can work opposite to what you like: easy but safe login. Except when any person walks by three times you can again enter your pincode, pretty useless. It should start scanning when someone is staring at the camera or shakes it or whatever.

[tooki]

But that IS exactly what it does!!! It doesn't attempt a face recognition that isn't looking directly at the screen. Even closed eyes will not trigger one, apparently.

As for battery, I assume it's simply using the proximity sensor to determine when something is at the right distance, then turns on the actual Face ID system then.

Where in the demo did you see it work not easy and not safe??

[Kjelt]

Did you read my quote in the first post. That is what happened during the demo, other persons only moving the phone or walking near the phone made the demo fail and that is how it is supposed to work?
So if you are not using your phone you should put it in a black bag so it doesn't see anyone and start to prematurely identify bypassers?
I am getting to old for this s€€t.

[tooki]

Did you read my quote in the first post. That is what happened during the demo, other persons only moving the phone or walking near the phone made the demo fail and that is how it is supposed to work?
So if you are not using your phone you should put it in a black bag so it doesn't see anyone and start to prematurely identify bypassers?
I am getting to old for this s€€t.

I saw the quote, it's just that I don't infer absurd hysterics out of it like you have. "Handling the device" certainly does not mean people just walking by or just moving it. They were probably either handholding them to verify that they were ready (cables secure, charged, on wifi, etc), or actually playing with them to get a nice look at them.

I would be extremely surprised if the Face ID system did not use the accelerometer and proximity sensors to activate - anything else would probably use too much power anyway. You can't have a camera and two high power IR illuminator systems running all the time and not drain the battery excessively!

[Z80]

Does anyone know what problem this pointless wanky gimmik is supposed to solve?  Maybe this is Apple's way of getting a patent on the human face. 

[RGB255_0_0]

Does anyone know what problem this pointless wanky gimmik is supposed to solve?  Maybe this is Apple's way of getting a patent on the human face. 

Apple could not get touch ID working with Samsung's OLED display so this was their only alternative to an 'easy' method of unlocking the device.

[tooki]

Does anyone know what problem this pointless wanky gimmik is supposed to solve?  Maybe this is Apple's way of getting a patent on the human face. 

Apple could not get touch ID working with Samsung's OLED display so this was their only alternative to an 'easy' method of unlocking the device.

I would guess that getting it to work was easy, but that the problem is that to locate your finger quickly onto a sensor, it needs to be something you can feel by touch, which in turn would have meant distortion on the display glass.

BTW, do we know it was Samsung OLED, or is that just speculation? I would have intuitively assumed it was from LG, but I haven't done any research on the matter.

[Red Squirrel]

I'm not a fan of any kind of biometric style authentication.  People want to kill the concept of the password because it does have it's flaws, but I still think it's the best way to go.  I like Android's pattern system, I just wish it was more versatile, like that you can use the same dot twice.  Perhaps even add more dots. 

The issue with finger print, face recognition etc is 1: how accurate is it really, will someone that looks very close to you be able to trigger it?  And 2: you can more easily be forced to unlock it.  Someone can use it on you while you're unconscious for example.  I could see police beating you if you refuse to let them in then they'll just use it on you after they knocked you out.  But a password, it has to come from you and be you specifically inputing it, assuming you did not write it down anywhere.

Biometric could work nicely as a two factor auth system though.

[tooki]

I'm not a fan of any kind of biometric style authentication.  People want to kill the concept of the password because it does have it's flaws, but I still think it's the best way to go.  I like Android's pattern system, I just wish it was more versatile, like that you can use the same dot twice.  Perhaps even add more dots. 

The issue with finger print, face recognition etc is 1: how accurate is it really, will someone that looks very close to you be able to trigger it?  And 2: you can more easily be forced to unlock it.  Someone can use it on you while you're unconscious for example.  I could see police beating you if you refuse to let them in then they'll just use it on you after they knocked you out.  But a password, it has to come from you and be you specifically inputing it, assuming you did not write it down anywhere.

Biometric could work nicely as a two factor auth system though.

While I fully agree that phone OSes should offer an option of using biometric with 2FA (I'm kinda baffled as to why they don't!), I don't think you've done your homework on how biometric logins work on current phones.

I haven't looked into to how Android implements it, so I won't make any guesses. But here's a simplified explanation of how iOS does it:

Biometric login (be it Touch ID or Face ID) is simply a proxy for the passcode. The "Secure Enclave" security processor (which runs its own realtime OS, totally separate from iOS), when the phone boots up, must first be "fed" the passcode, because it doesn't actually have it stored across reboots. (The same initial passcode entry on boot is also used to unlock the OS, such that the passcode can even be passed to the Secure Enclave.) For security purposes as well as to make sure you don't forget the passcode, the Secure Enclave automatically discards the passcode every 48h, forcing you to re-enter it manually.

Additionally, failed biometric login attempts (2 with Face ID, 5 with Touch ID) will also trigger the Secure Enclave to forget the passcode, thus necessitating re-entry. There's also a system setting to delete the phone's storage decryption keys after 10 failed passcode entries, causing the phone's contents to be fully, instantly, and irretrievably erased. (There is no user-visible counter of the attempts, so that a cop or thief who is trying to coerce you into divulging the passcode cannot know how many attempts remain, nor indeed whether the auto-erase function is enabled at all. If enabled, it simply erases the phone on the spot once the 10th incorrect passcode has been entered.)

In iOS 11, the new emergency screen (triggered by pressing the sleep/wake button 5 times in a row) also tells the Secure Enclave to discard the passcode, giving you a way to quickly disable biometric login without leaving evidence. (For example, you can quickly press the button 5 times while waiting in line at airport security.)

In both Touch ID and Face ID, the biometric signature is not transmitted to the CPU and iOS; it remains solely within the Secure Enclave, totally unavailable to iOS, and thus unavailable to both law enforcement and hackers/malware. The Secure Enclave, in essence, only feeds back to iOS whatever data it was told to hold in escrow (like the passcode, and the decryption key for the system keychain) when biometric login succeeds. [speculation]Given this, and the fact that the iPhone X can use the Face ID sensors for augmented reality, it stands to reason that either a) the Face ID/Secure Enclave subsystem can feed anonymized (non-personalized) face position data out to iOS, without allowing the facial signature to be output, or b) the Face ID sensor data is fed to iOS, which sends sensor data to the Secure Enclave for computation of the signature and future comparison. I strongly suspect that approach (a) is used, since (b) has far more opportunity for abuse. [/speculation]

Touch ID can be used on an unconscious person (which is why some people recommend not registering your thumbprint, but instead using other fingers, such that cops would likely use up the 5 attempts on your thumbs before getting to the finger that works). Face ID, on the other hand, requires a deliberate, active gaze, and apparently also locks automatically when you look away. Between that and that you only get 2 attempts before it disables Face ID, the chances of an unconscious or uncooperative person's face being used to unlock are extremely small.

Apple just stated the false-positive (i.e. random chance of a stranger being able to unlock) rate for Touch ID as 1 in 50K, and for Face ID as 1 in 1 million, with the rate rising significantly with close relatives.


Ultimately, though, the original goal of biometric logins isn't to be more secure than a passcode, it's to be more secure than nothing at all, which is apparently what tons of people were doing before Touch ID. (I forget the statistics, but it was shockingly high to me.)

Apple publishes a document called the iOS Security Guide that goes into the security architecture in great detail. The current version is from March 2017, so I expect an updated version for iOS 11 and Face ID to come out next spring at the latest.



A much larger issue, IMHO, than the technical situation is the legal one. To me (and many others), it's obvious that the law should expressly address when you can and cannot be compelled to unlock your device, regardless of unlock method. But for historical reasons, and ones of what I consider obtuse interpretation of the law, in the US, you cannot be compelled to provide a passcode/password (though the government is now holding someone indefinitely for refusing to divulge a decryption password, egregiously violating the law IMHO), but you can be compelled to provide physical attributes, like fingerprints or the appearance of your face. This is why the ability to quickly and surreptitiously disable biometric login without leaving evidence (as Apple is doing in iOS 11) is hugely important.

[xrunner]

Does Apple's facial recognition technology compromise security for convenience?

 CBS News September 16, 2017, 12:13 PM

Apple executives unveiled the iPhone X this week along with facial recognition technology called Face ID. The iPhone's latest feature, which uses a 3-D scan of the user's face to unlock the phone, is also raising questions about privacy and security.

"We should be clear that this is a compromise of the security of your phone for convenience," said Wired magazine senior writer Andy Greenberg. He joined "CBS This Morning: Saturday" to discuss how the technology works, whether it can be tricked and why using a six-digit passcode is more secure than anything else.

"It's not gonna be that easy to spoof your face as it has been for the Galaxy S8 or other facial recognition systems where you could just show it a photograph," Greenberg explained. "The new iPhone, the iPhone X, is going to use tens of thousands of infrared dots on your face that it projects itself, and then uses an infrared camera to see how those are distorted."

Despite the advanced technology Apple is using, Greenberg said, "I've talked to hackers who've said they're going to break this." "Apple seems to have this war on inconvenience where even just having to have one button on your phone is too many. They want the experience to be so seamless that you don't even notice the features or notice the security," Greenberg said.

Greenberg said there are a few reasons why biometrics aren't the best way to ensure security. A simpler feature is better for protecting your privacy.

"The safest thing you can do is turn off your fingerprint reader, your face print reader and just use that six-digit pin code which is remarkably difficult to break in an iPhone," Greenberg said. "The six-digit passcode is just mathematically almost impossible to guess given the number of tries Apple offers you."

Last year, the FBI was unable to break into an iPhone locked with a six-digit password.

"You can be very easily coerced to show your finger or, more easily, your face to someone who wants to break into your phone, whether that's a mugger or a kidnapper or the police," Greenberg said. 

But what worries Greenberg more is what the adoption and widespread use of this technology could mean for the future of privacy.

"It's going to train Americans to use their face as a security mechanism. And once we're used to that, it's just a matter of time until tech companies are uploading those faces -- and Apple is not -- but maybe Amazon or Google will create a database of face prints," he said. "If they keep that centralized database or if a government agency does then it's only a matter of time until it leaks and then we're really in trouble in terms of privacy and security."

https://www.cbsnews.com/news/how-apples-facial-recognition-technology-compromises-security/