Researchers at the Black Hat security conference this week highlighted an interesting, and somewhat impractical, way to fool Apple’s Face ID. Originally introduced with the iPhone X, Face ID does an impressive job of only allowing authorized users to access a particular device. All the same, Face ID isn’t entirely fool-proof.
Over the past few years, we’ve seen a few demonstrations which illustrate how Face ID can sometimes be fooled by twins or even siblings who bear a close resemblance. There have even been stories of researchers using 3D-printed plaster masks to fool the software.
Now as to the new Face ID workaround mentioned above, researchers from Tencent showed conference-goers how they were able to access a locked iPhone by affixing glasses with black tape on the lenses to the face of a presumably unconscious iPhone X owner. As it turns out, Face ID only attempts to analyze 3D information of a user’s face when the user in question isn’t wearing glasses. When a user is wearing glasses, Face ID only relies upon a 2D construction which makes it much easier for folks to fool the technology.
Researchers specifically honed in on how liveness detection scans a user’s eyes. They discovered that the abstraction of the eye for liveness detection renders a black area (the eye) with a white point on it (the iris). And, they discovered that if a user is wearing glasses, the way that liveness detection scans the eyes changes.
“After our research we found weak points in FaceID… it allows users to unlock while wearing glasses… if you are wearing glasses, it won’t extract 3D information from the eye area when it recognizes the glasses.”
Is this interesting? Sure. And while it does provide us with some intriguing information regarding the inner workings of the technology, it doesn’t impact the efficacy or reliability of Face ID in the slightest.
If someone knocking you unconscious and outfitting you with fake glasses is something that’s liable to happen to you, I’d venture to say that Face ID’s security is the least of your concerns. Indeed, we’ve been through this rigmarole before with Touch ID. Back when Apple introduced its fingerprint authentication scheme with the iPhone 5s, some researchers went to extraordinarily comical lengths to demonstrate how the feature could be bypassed in extreme use-cases.