The digital security experts at Bkav have followed up on their initial claims of Face ID‘s spoofability with a new video showing how the iPhone X’s biometric authentication system can be fooled by a mask.
The mask is designed to look like one of Bkav’s researchers, and is made of stone powder, with 2D images of the user’s eyes. A video demonstrating the hackers’ method shows one of them enrolling for Face ID on the iPhone X, and then unlocking the device by positioning it in front of the mask.
The researcher takes care to note that the iPhone device’s ‘attention aware’ feature, which requires the user to make eye contact with the device in order to authenticate via Face ID, is activated during the spoofing exercise.
While Apple has highlighted the heightened security of Face ID over its Touch ID fingerprint scanning system, and reviewers have generally found the system to be highly effective, there have been reports of twins successfully fooling the system. Bkav’s latest effort shows how a ‘twin’ can effectively be fabricated, calling their mask “the artificial twin”.
A previously announced spoofing method led the researchers to conclude that billionaires and national leaders could be susceptible to elaborate, mask-based spoofing attempts. Now, their latest spoofing method has prompted them to argue that Face ID should not be used for any business transactions, since masks can be created using 2D images of the victim and easily obtained materials costing about $200 per mask.
The Bkav team’s success in spoofing Face ID helps to highlight the advantages of multimodal biometrics, with the iPhone X relying solely on facial recognition while rival devices like Samsung’s Note8 feature both iris and fingerprint recognition.