Late on Sunday, WIRED reported that a Vietnamese security firm called Bkav may have beaten the iPhone X’s Face ID facial recognition unlock system using a mask made of silicon, 3-D printed plastic, and paper cutouts. The firm released a blog post and video explaining their experiment. Note that this test has not been repeated or confirmed by other security researchers and it required a significant amount of time and effort – in line with high-level corporate or governmental espionage, a la Mission Impossible. It requires detailed measurements of the victim’s face or a digital scan to create the mask, so it’s very unlikely that this would be used against the average iPhone user.
Also, there are ways that researchers at Bkav could have “weakened” Face ID before cracking it with the mask. The person in Bkav’s demo wore glasses, but their mask did not. Face ID uses machine learning elements to help account for small changes in the user’s appearance, such as wearing a hat or scarf. Our security researchers say it’s possible that training the iPhone on a face that wears glasses could have caused it to pay less attention to the printouts of eyes on the mask, making it easier to fool. Bkav has not released many details about their tests and Apple has not yet responded to WIRED’s story, so there are still many unanswered questions.
WatchGuard’s CTO Corey Nachreiner recently dug into Face ID security for a column in Tech Beacon, where he argued that multifactor authentication is a stronger solution than any single biometric token. Here’s an excerpt from that article.
Despite Face ID’s security, I’m still almost positive that researchers and hackers will eventually crack it. Which brings me to my real point: No single authentication factor, no matter how well designed, will ever be perfect. Our authentication options are something we know (passwords), have (tokens or certificates), or are (biometrics). The problem is that there are always ways for these tokens to be stolen, guessed, or mimicked.
This test from Bkav seems to back up Corey’s assertion that hackers will eventually find ways to defeat any authentication token. The more secure approach is to combine different authentication factors rather than create more advance biometrics ones (even if they are stronger). Multi-factor authentication will always win out over any single token.