Amid all the hype, Apple is not exactly saying that Face ID and Touch ID are perfect solutions. They don’t work in every single case. From Consumer Reports to a number of tech publications, it has been demonstrated that Face ID can fail from time to time under normal use. Touch ID is better than it used to be, but I occasionally have to do it twice. Sometimes I just use the passcode, which always works so long as I enter the correct numbers.
Now one of the classic features of the “Mission Impossible” TV series, and the blockbuster movies, is the ability to create amazingly perfect face masks. A character puts on the mask, and they are instantly changed into a perfect replica of another person.
Of course, this requires a suspension of disbelief, a very big suspension. The secret agent’s physique has to roughly resemble the person he or she will impersonate. At 5′ 7,” actor Tom Cruise has pretend to be one of the shorter villains, or does he wear stilts and platform shoes?
In any case, the basic question is whether a real face mask can somehow be used to fool Face ID. A report from Forbes claims it has been done twice by hackers from Viet Nam at a total cost of $150 for the first effort, and $200 for the second.
The deed is allegedly demonstrated in a video, but you’d have to take it on faith that it wasn’t edited to convey a misleading impression of what was really accomplished.
According to the Forbes blogger, “A video shows the Face ID facial recognition enrollment being reset. Then the researcher enrolls his own face and seconds later unlocks it with a mask made of a 3D-printed visage constructed of stone powder, with 2D-printed eyes stuck on.”
But the scheme has a fatal flaw, because the mask is made by scanning someone’s face. So you need the original face to begin with, meaning it ought to be a lot less time-consuming for that person to just unlock an iPhone X. Or maybe the individual has been kidnapped, and thus they criminals have decided to use the mask for future attempts to unlock the device without the owner being present.
Isn’t this starting to get just a little extreme?
Of course it’s always possible for a criminal to take out a gun, and order someone to unlock their iPhone. It doesn’t matter how. How many people would be foolish enough to say no way?
Now if the scan could be generated direct from someone’s digital photo — and that appears to apply to the facial recognition scheme on a Samsung Galaxy S8 — it would represent a genuine security flaw. But having to go through all the rigamarole the Vietnamese hackers had to confront to unlock an iPhone X clearly demonstrates that Apple’s solution is pretty robust. Only time-consuming and extreme methods will accomplish the deed, and at some point the device’s owner has to participate, willing or not.
As a practical matter, Face ID appears to work well enough to accommodate most situations. If you don’t trust it, use a passcode. With a six-figure code, the chances that anyone will guess it before the unit is locked for good are slim to none. If you type the code correctly, it works 100% of the time, whereas all biometrics are less efficient.
But what about just buying an iPhone with Touch ID? Is that a more robust solution?
Maybe not. I’ve managed a roughly 80% success rate with recent iPhones. I create profiles with both thumbs, but it’s just not good enough. Sometimes I just have to revert to the passcode, which you have to do anyway if you restart the device.
If you do a little online checking, you’ll see reports of people who managed to fool Touch ID with some sort of latex print. But you still have to lift the print, meaning you have to have the original finger, or a really good fingerprint to work with. Some suggest you might also be able to accomplish the task with a dead finger, so long as the corpse hasn’t deteriorated too much. I suppose that ought to be a lesson to the authorities if they are trying to grab data from an iPhone, or another device with a fingerprint sensor that was used by the recently deceased suspect.
It’s a grisly prospect, to be sure.
With the latest reports, Apple’s critics will no doubt produce the straw man arguments that their biometrics are deeply flawed, suffering from serious security vulnerabilities.
So it is fun, I suppose, to read reports about successful efforts to hack an iPhone or another device. Again, you have to feel confident that Apple has devised a solution that’s harder to crack than the competition’s. It should be obvious that they already know its flaws, and are working on even more robust hardware and software that even the best “Mission Impossible” mask won’t crack. Well, at least until the hackers come up with a better way.