An announcement on Friday by Bkav, a Vietnamese cybersecurity firm, that it had cracked Apple’s Face ID, and a subsequent video apparently showing an iPhone being unlocked when pointed at a mask, were greeted with some skepticism.
Ngo Tuan Anh, Bkav’s vice president, gave Reuters several demonstrations, first unlocking the phone with his face and then by using the mask. It appeared to work each time.
However, he declined to register a user ID and the mask on the phone from scratch because, he said, the iPhone and mask need to be placed at very specific angles, and the mask to be refined, a process he said could take up to nine hours.
Apple declined to comment, referring journalists to a page on its website that explains how Face ID works.
That page says the probability of a random person unlocking another user’s phone with their face was approximately one-in-a-million, compared to 1-in-50,000 for the previously used fingerprint scanner. It also says Face ID allows only five unsuccessful match attempts before a passcode is required.
Anh acknowledged that preparing the mask wasn’t easy, but he said he believed the demonstration showed facial recognition as a way to authenticate users would be risky for some.
“It’s not easy for normal people to do what we do here, but it’s a concern for people in the security sector and important people like politicians or heads of corporations,” he said. “(These) important people should absolutely not lend their iPhone X to anyone if they have activated the Face ID function.”
It’s the first reported case of researchers apparently being able to fool the Face ID software.
“Nothing is 100% secure,” wrote Terry Ray, chief technology officer at U.S.-based cybersecurity company Imperva, in a note. “Where there’s a will, there’s a way. The questions are: How much trouble would someone go to, and how much would they spend, to get your data?”
Bkav’s Anh said the research took about a week, and included numerous failures. The mask frame was made of plastic, covered with paper tape to resemble skin, with a silicone nose and paper for eyes and mouth.
As far back as 2009, Bkav researchers highlighted what they said were problems with using facial recognition as a way to authenticate users. They said then that they had hacked three laptop manufacturers which used webcams to authenticate users.