A new Apple patent application suggests that the company has boosted the security of Face ID in order to defeat the attack method demonstrated in 2017, when a specially-designed 3D-printed mask was able to unlock an iPhone X.
The attack was a sophisticated one, meaning that ordinary users didn’t have much to fear, but the security researchers did suggest that high-profile targets – like company CEOs – might want to avoid using Face ID …
Making the mask only cost $150 in materials, but required access to a detailed scan of the person’s facial features and many hours of work by artists.
The researchers say that much of the model was made using an off-the-shelf 3D printer whilst other elements like skin and nose were hand-made.
The same team went on to create an even more sophisticated version, allowing a static mask to work even when Require Attention was switched on. At that point, the researchers advised against using Face ID for ‘business transactions.’
New Face ID patent application
Apple filed a new patent application months after Face ID had been cracked on iPhone X so as to ensure that the 3D mask approach would fail in the future. The patent application was made public this week.
It’s not 100% clear that this is the goal of the patent, as the document doesn’t list any specific goals, and the description of what the new approach achieves is somewhat opaque. However, it does now employ pseudo-random patterns to mix-and-match its 2D and 3D scanning modes. One possible interpretation of the description would be that it requires movement in the face, so the idea that it would block mask-based attacks does seem plausible.
Techniques are disclosed relating to preventing or reducing security threats relating to biometric sensors, e.g., for facial recognition. In some embodiments, a device is configured to generate a pseudo-random sequence of image capture modes using at least two different modes. For example, the sequence may include two-dimensional (e.g., with flood illumination) and three-dimensional (e.g., with depth illumination) capture modes. In some embodiments, a secure circuit is configured to verify the sequence in image data from the camera unit and may determine whether to allow facial recognition to proceed based on whether the sequence was used.
In some embodiments, a device is configured to use a secret illumination pattern (which may be referred to as a probing pattern) for at least one image associated with a facial recognition session. This probing pattern may be pseudo-randomly determined from among a plurality of illumination patterns (e.g., with statically configured arrays for different patterns and/or dynamically adjustable patterns). For example, the pattern may include only a subset of infrared dots in an array of dot projectors used for a depth capture mode. In some embodiments, a secure circuit is configured to verify that the illumination pattern is present in image data from the camera unit and may determine whether to allow facial recognition to proceed based on whether the pattern was used.
In some embodiments, the device is configured to use the secret illumination pattern only after verifying a pseudo-random sequence of capture modes, or vice versa, which may further reduce the likelihood of a successful attack.
Either way, the result is a more thorough scan of the face.
Face ID security
Apple touts Face ID as significantly more secure than Touch ID. The chances of a random face being able to unlock your phone are cited as one in a million, versus 1 in 50,000 for a random fingerprint with Touch ID.
Face ID is, however, far less secure with some close family members. Apple specifically warns of higher chances of spoofing by twins, siblings and younger children.
The statistical probability is different for twins and siblings that look like you and among children under the age of 13, because their distinct facial features may not have fully developed. If you’re concerned about this, we recommend using a passcode to authenticate.
Usage of Face ID continues to gradually expand. It’s supported by most banks and financial institutions for logging-in to their apps, and WhatsApp recently added the option of using it to protect your chats. I’d like to see it further expanded, including in some of Apple’s own apps, and 93% of you agree.