A cybersecurity firm has successfully ‘tricked’ Face ID by creating a specially made mask that imitates a person’s real face. However, the researchers say they unlocked the iPhone X with a real face so that the phone could not learn any false data from the mask.
The mask cost only $150 to make but it required access to a detailed scan of the person’s facial features and many hours of work by artists. Most of it was made by a 3D printer while other elements such as the skin and nose were hand-made. Only the eyes, nose and mouth are actually painted in because the researchers found that large portions of the face did not have to accurately depict a face in order for Face ID to unlock.
Apple has said that Face ID has defences against such biometric attacks but this does not guarantee infallibility:
An additional neural network that’s trained to spot and resist spoofing defends against attempts to unlock your phone with photos or masks.
This does show that a targeted attack on specific, important individuals is possible so such people should avoid using Face ID. For everyone else, Face ID is more than secure as it’s far too time-consuming to create a mask of this quality just to break into one person’s phone.
It’s also worth noting that this mask will have been created with the cooperation of the person it is mimicking, which would not be the case for an attack on a celebrity, for example. Apple can also use findings from this research to make an even more secure algorithm for Face ID to be released in future software updates.