“The spoofing also highlights the importance of liveness detection, which can involve a number of different methods of making sure that it’s the actual user in front of the phone.”
OnePlus’s new flagship smartphone can be unlocked with a photo of the user’s face, and it doesn’t even need to be in color, suggests a user video recently posted to Twitter. Demonstrating the low bar for access to the phone via its face unlock feature, the video shows the user’s friend successfully unlocking his OnePlus 6 device just by holding a black-and-white photo of the user’s face in front of his own. It takes a few tries, but it works.
With respect to contemporary mobile security, it’s an illuminating spoofing video on a number of counts. For one thing, it shows that 2D face scanning is very different from 3D face scanning: A big part of the reason that Apple was able to claim one-in-a-million accuracy for the identification capabilities of the iPhone X’s Face ID system is that it establishes a 3D map of the user’s face using an infrared grid. It just isn’t possible to replicate that map with a 2D photo, whereas the OnePlus 6’s 2D imaging system has fallen victim to that vulnerability.
The spoofing also highlights the importance of liveness detection, which can involve a number of different methods of making sure that it’s the actual user in front of the phone. Apple’s ID has an ‘attention aware’ feature designed to make sure that an authorized user is actually looking at the iPhone X in order to unlock it, while other approaches have involved requiring the user to blink or taking short videos to establish movement.
Finally – and this is an area where Apple is actually lacking – the OnePlus 6 spoofing points to the utility of multimodal authentication. Relying on just one mechanism is far less effective than combining them, as Samsung has done in its combination of facial and iris recognition on the Galaxy S9 smartphone. For its part, the OnePlus 6 actually has a rear-mounted fingerprint sensor, too, and OnePlus says that this feature is meant more for security while the face unlock feature is mostly for convenience. But given that the device’s facial recognition system can’t even tell when it’s being shown a black-and-white image, it is perhaps a little too convenient for most users’ comfort.