A new Apple patent application suggests that the company has boosted the security of Face ID in order to defeat the attack method demonstrated in 2017, when a specially-designed 3D-printed mask was able to unlock an iPhone X.
The attack was a sophisticated one, meaning that ordinary users didn’t have much to fear, but the security researchers did suggest that high-profile targets – like company CEOs – might want to avoid using Face ID …
The same team went on to create an even more sophisticated version, allowing a static mask to work even when Require Attention was switched on. At that point, the researchers advised against using Face ID for ‘business transactions.’
The researchers say that much of the model was made using an off-the-shelf 3D printer whilst other elements like skin and nose were hand-made.
New Face ID patent application
A new Apple patent application spotted by Patently Apple describes a boost to Face ID security which the site suggests is designed to defeat the mask-based attack.
It’s not 100% clear that this is the goal of the patent, as the document doesn’t list any specific goals, and the description of what the new approach achieves is somewhat opaque. However, it does now employ pseudo-random patterns to mix-and-match its 2D and 3D scanning modes. One possible interpretation of the description would be that it requires movement in the face, so the idea that it would block mask-based attacks does seem plausible.
Either way, the result is a more thorough scan of the face.
In some embodiments, a device is configured to use a secret illumination pattern (which may be referred to as a probing pattern) for at least one image associated with a facial recognition session. This probing pattern may be pseudo-randomly determined from among a plurality of illumination patterns (e.g., with statically configured arrays for different patterns and/or dynamically adjustable patterns). For example, the pattern may include only a subset of infrared dots in an array of dot projectors used for a depth capture mode. In some embodiments, a secure circuit is configured to verify that the illumination pattern is present in image data from the camera unit and may determine whether to allow facial recognition to proceed based on whether the pattern was used.
In some embodiments, the device is configured to use the secret illumination pattern only after verifying a pseudo-random sequence of capture modes, or vice versa, which may further reduce the likelihood of a successful attack.
Face ID security
Apple touts Face ID as significantly more secure than Touch ID. The chances of a random face being able to unlock your phone are cited as one in a million, versus 1 in 50,000 for a random fingerprint with Touch ID.
Face ID is, however, far less secure with some close family members. Apple specifically warns of higher chances of spoofing by twins, siblings and younger children.
Usage of Face ID continues to gradually expand. It’s supported by most banks and financial institutions for logging-in to their apps, and WhatsApp recently added the option of using it to protect your chats. I’d like to see it further expanded, including in some of Apple’s own apps, and 93% of you agree.
Photo: Shutterstock