#Bkav recently broke the #Apple’s #FaceID authentication on the #iPhoneX. It seems to be a legitimate claim since no other expert has debunked their testing. At a cost of less than $200, all Bkav did was print a 3D mask of the iPhone’s owner to create what they call the “Artificial Twin”. Despite Apple’s claim that Face ID is more secure than #TouchID, that it would take 1 in 1,000,000 chances to fool Face ID, the guys at Bkav did a wonderful job at fooling the system. They also enabled “Require Attention for Face ID" which was meant to be another layer of security by requiring you to look at your iPhone to use Face ID, and it's one of the features that's supposed to prevent Face ID from unlocking with a mask, with a photograph or when you're looking away from your phone. Bkav was still able to unlock the iPhone. Although it looks easy, it actually is not simple to do which still gives Face ID credibility as a secure method of authentication. In order to pull this off you would need high res photos of the owner shot at different angles and then create a 3D image of the face printed to a mask. I’m pretty sure not everybody can pull this off in minutes. It took 10 hours before Bkav could trick the AI in the iPhone X for this to work. Much props to the Bkav guys for pointing out that Face ID could possibly be hacked which strengthens claims by some hackers that it could fooled.
Initially I thought that on the “ugly” notch there was an IR or infrared camera that verifies if the face is human or not. It doesn’t appear to do that since when the 3D mask was placed in front of the iPhone X it unlocked immediately. On the iPhone X, the infrared camera captures images of the dot patterns from a projector and the IR light (a heat signature) that's been reflected back from your face - but that is during image capture of the “Enrollment Image” when you are setting up Face ID for the first time. During face recognition however, the IR is used to create a map of the facial features to compare with the image in the Secure Enclave chip that is referenced whenever Face ID is used. So the IR camera doesn’t first measure the body heat to verify if the face is organic or human. With an infrared thermography (IRT), an IR sensor can detect body heat from the face in order to prevent using masks to fool the system. Since a mask does not emit body heat, it cannot prove it is organic or human to Face ID, therefore it will not work. This requires adding another IR sensor to the notch and that probably will require redesigning the phone. In the existing Face ID, IR is not used in that way but more to capture a verification image to compare with the enrollment image without measuring heat signatures to confirm organic or human identity. This is just a proposed concept, not the actual solution for Face ID.
