When Apple introduced Face ID security alongside the iPhone X, it boasted that even Hollywood-quality masks couldn’t fool the system. It might not be a question of movie-like authenticity, however — security researchers at Bkav claim to have thwarted Face ID by using a specially-built mask. Rather than strive for absolute realism, the team built its mask with the aim of tricking the depth-mapping technology. The creation uses hand-crafted “skin” made specifically to exploit Face ID, while 3D printing produced the face model. Other parts, such as the eyes, are 2D images. The proof of concept appears to work, as you can see in the clip below. The question is: do iPhone X owners actually have to worry about it?
The researchers maintain that they didn’t have to ‘cheat’ to make this work. The iPhone X was trained from a real person’s face, and it only required roughly $ 150 in supplies (not including the off-the-shelf 3D printer). The demo shows Face ID working in one try, too, although it’s not clear how many false starts Bkav had before producing a mask that worked smoothly. The company says it started working on the mask on November 5th, so the completed project took about 5 days.
When asked for comment, Apple pointed us to its security white paper outlining how Face ID detects faces and authenticates users.
Is this a practical security concern for most people? Not necessarily. Bkav is quick to acknowledge that the effort involved makes it difficult to compromise “normal users.” As with fake fingers, this approach is more of a concern for politicians, celebrities and law enforcement agents whose value is so high that they’re worth days of effort. If someone is so determined to get into your phone that they build a custom mask and have the opportunity to use it, you have much larger security concerns than whether or not Face ID is working.
More than anything, the seeming achievement emphasizes that biometric sign-ins are usually about convenience, not completely foolproof security. They make reasonable security painless enough that you’re more likely to use it instead of leaving your device unprotected. If someone is really, truly determined to get into your phone, there’s a real chance they will — this is more to deter thieves and nosy acquaintances who are likely to give up if they don’t get in after a few attempts.