Posted by Nikola Cucakovic on September 27, 2017
Written in coordination with Grant Douglas
Facial recognition is one of the most widely and commonly used forms of biometric access control. Unlike other biometric systems, the information a face contains has a multitude of versatile applications. This information can be used to identify a subject’s gender, ethnicity, age, and even emotional state. A large factor in why facial recognition is so popular is its familiarity; social media has encouraged people to share their faces online, making users more comfortable with the concept.
Owing to the intrinsic nature of facial recognition technology, it is paramount to ensure the system can consistently and securely identify an individual. However, achieving secure access control through facial recognition is challenging; there are a multitude of attack vectors to consider, such as spoofing, image manipulation, run-time tampering, and even image theft.
In this post, we will briefly talk about the security concerns related to the new iPhone X’s facial recognition system.
Apple has published a paper on the security of Face ID and since we don’t have the device yet, here’s what we can tell so far:
Notably, at some point in this process, checks are performed to ensure the user is paying attention to the device.
In order to use Face ID, users are required to configure their iPhone X with a passcode. From then on, the user’s face can be used to unlock the device without requiring the passcode. There are some scenarios, however, whereby the user will be forced to input the passcode and will not be permitted to use only their face. Those circumstances include:
It goes without saying that no authentication system is unbeatable. During the release event, Phil Schiller, SVP of worldwide marketing at Apple, stated that the chance of a random person in the population looking at your iPhone X and unlocking it with their face is one in a million:
“What are the similar statistics for Face ID? One in a million. The chance that a random person in the population could look at your iPhone X and unlock it with their face is about one in a million.”
However, Apple conceded during the livestream event that yes, your “evil twin” may be able to unlock your device via Face ID. As such, you should be careful whom you trust with your device.
This is a huge increase in authentication strength in comparison to Apple’s fingerprint biometric technology Touch ID though; Touch ID has a 1-in-50,000 chance of a random person using their fingerprint to successfully unlock your phone:
“The chance that a random person could use their fingerprint to unlock your iPhone is about 1 in 50,000.”
However, uniqueness is only one of many concerns regarding biometric authentication. It’s very unlikely that your device is going to be stolen and unlocked by chance, whether it’s 1 in 50,000 or 1 in 1 million. Instead, we should be more concerned with how practical or feasible it is for an attacker to circumvent this technology. We know that Touch ID was circumvented using advanced and expensive technologies, but a typical phone thief won’t have access to such resources. Even threat actors who do have the time and resources available to attack Touch ID require a copy of the victim’s fingerprint from somewhere to spoof it. While it’s not impossible to obtain someone’s fingerprint, we can say that it’s definitely more difficult than simply obtaining an image of someone’s face—especially since social media and technology are so integrated into modern-day life that photos are everywhere.
What Apple must therefore ensure is that even with a photograph of the victim’s face, an attacker cannot access the phone. Many facial recognition technologies released to date have been circumvented using rudimentary techniques, including printed photographs, digital photographs, animated digital photographs, and 3D models.
Apple has been hard at work to ensure that these types of spoofing attacks don’t work against Face ID, but until we get access to the device, we won’t know how well they’ve done. Apple does claim that even realistic 3D masks of users’ faces have been tested and were unsuccessful.
One concern users may have is “What if I’m forced to unlock the device by looking at it?” This can be a valid concern if you are confronted by a threat actor who wants you to unlock the device for them (e.g., a phone thief or mugger, or law enforcement). If you simply press the buttons on both sides of the device at the same time, Face ID will be deactivated until the next time a passcode has been entered. With this feature, users can ensure that even if they are forced to look at the device, it will remain locked.
An interesting note from the release presentation is that apps that support Touch ID already support Face ID. This indicates that the same APIs are used and that the device will use whichever biometric solution is available. The framework typically used for fingerprint authentication is called Local Authentication. It is named appropriately to cover both Face ID and Touch ID. This is great from a feature adoption and support perspective. Businesses and developers wishing to be at the forefront of technology can support Face ID with little or no effort.
However, for some organizations, there may have been a period of analysis and review concerning Touch ID before it was approved/risk-accepted for use within the enterprise (or for use in their externally visible App Store apps). Those organizations may not have assessed the risks concerning facial recognition or approved the technology for enterprise use. On Day 1 when the iPhone X is released, all apps that support Touch ID will support Face ID. This means that users of corporate devices will be able to use facial recognition even if their organizations aren’t OK with that. Organizations should start to evaluate whether Face ID is appropriate for use now, ahead of the iPhone X release, to adjust their policies in time.
The Local Authentication framework does allow developers to identify whether a device supports Touch ID or Face ID; therefore, it is possible to programmatically disable Local Authentication in either or both scenarios if desired.