The release of the iPhone X earlier this month included a new facial recognition security feature called Face ID. Designed to replace the iPhone’s Touch ID feature, Face ID uses face-based authentication via infrared screening to identify the user and provide access to the iPhone X as well as authorize purchases via Apple Pay. Banks are starting to utilize this feature as well.

Apple said Face ID uses 30,000 points of reference to map out a user’s face, making the likelihood that the feature could be fooled extremely low, but recently, a Vietnamese company called Bkav has circumvented this technology with a mask made from 3-D parts. This development spells out what may only be the beginning of a string of potential flaws surrounding this new feature. So should business users be worried?

“Apple’s facial recognition was never intended to be a security measure for strong authentication,” said Josh Mayfield, director of product marketing at FireMon. “Strong authentication cannot be faked, gamed, or manipulated. Apple’s facial recognition begins with the opening assumption that the user gazing at the screen is likely to be the correct user. From there, the recognition system only seeks to confirm its assumption…never to seek to prove its assumption wrong.”

SEE: Mobile device computing policy (Tech Pro Research)

Paul Norris, senior systems engineer at Tripwire, stated that hacks like the one Bkav carried out take a great deal of time and effort. “Detailed dimensions would have had to be taken to create the mask and the security firm alluded to the fact that they had to use a special material on the mask too,” he said. “What they didn’t disclose was how many attempts and what level of effort it took to get the mask to work flawlessly.” Norris also pointed out that certain security details built into Apple’s Face ID can mitigate risk. Five failed attempts to authenticate users via facial means will force the user to enter a passcode, which is required for Face ID to function. In addition, the passcode must be entered when the device:

  • Has just been turned on or restarted
  • Hasn’t been unlocked via Face ID in the last four hours
  • Hasn’t been unlocked via the passcode in the past six and a half days
  • Hasn’t been unlocked at all for more than 48 hours
  • Has received a remote lock command
  • Has initiated the Emergency SOS function

Terry Ray, CTO of cybersecurity firm Imperva, pointed out that Apple concedes that a user’s twin or other close family member could look similar enough to a user to trigger a false positive. Worse, researchers have been able to brute force facial authentication in the past.

SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

Ray said that false negatives can happen too. If the owner of the phone undergoes a notable appearance change – such as shaving a beard or getting a drastically different haircut, then Face ID could fail to authenticate and the passcode will be required in order to set up Face ID again to match the user’s updated looks.

However, said Ray, “The average consumer is probably not at risk from a facial recognition attack or a false positive authorization, unless of course, they possess a devious identical twin,”

A hack like the one Bhav pulled off would cost about $150 in 3D supplies, which is not financially crippling to a potential attacker but also not something not likely to be invested in on a widescale basis. It would also require access to the phone itself, at which point some physical security would have already been compromised. Finally, the mask would have to be authentic enough to unlock the phone within five attempts inside a 48-hour time window.

“Is the value in one phone worth this effort?” said Ray. “Probably to someone with a particular agenda, but not likely an issue for most users.”

Ray said that a common question in the security realm is whether the technology being considered is good and easy enough for your purposes: “Nothing is perfect and the right technology is one you feel comfortable to use and one that keeps you acceptably secure.”

Also see: