Security watchers have given Apple’s introduction of facial recognition technology a cautious welcome. The newly unveiled iPhone X smartphone débuts an advanced facial recognition technology, called Face ID, which relies on Apple’s TrueDepth camera system. The technology features seven sensors and machine learning algorithms …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Page:

Wednesday 13th September 2017 11:53 GMT Mage

Biometrics

Repeat after me:

Biometrics do not replace passwords. Because when (not if) the item is replicated or system hacked you can't change your fingerprints/retina/face structure/<random biometric item>

Biometrics to use as a key or purchase verification is NEVER going to be a good idea.

P.S. I know how to defeat this

67 2 Reply
1. Wednesday 13th September 2017 13:03 GMT Lee D
  
  Re: Biometrics
  
  I am by no means an expert but I'd go for:
  
  - Bit of paper with a full-page photo, folded to the shape of the face that's on it?
  
  - Bit of paper with a full-page photo, wrapped around a mannequin head.
  
  - Bit of paper with a full-page photo, held over the attackers own face.
  
  Sure, it might take a bit of squidging and folding to get it right but you only need to get in once.
  
  I'm still struggling to work out why using face-rec to unlock a phone isn't viable just because the user is asleep. I don't buy that one at all. I mean, maybe a pair of Goggly Eyes might come into play to convince it that they have their eyes open, but I don't think we're talking hi-tech.
  
  Biometrics are not authentication.
  
  They say "I am shortly going to prove that I am this person" and then tell you which person that is. They DO NOT PROVE that you are that person. That's what actual authentication is.
  
  18 1 Reply
  1. Wednesday 13th September 2017 13:39 GMT Charles 9
    
    Re: Biometrics
    
    Simple. Think of all those people WITH BAD MEMORIES.
    
    0 3 Reply
    1. Wednesday 13th September 2017 14:05 GMT Felonmarmer
      
      Re: Biometrics
      
      Think of all those twins. The evil one could steal the others phone!
      
      22 0 Reply
      1. Wednesday 13th September 2017 21:14 GMT Trigonoceps occipitalis
        
        Re: Biometrics
        
        Identical twins come in two varieties, some are mirror images of each other, the rest are not. (Depends when in gestation the zygote splits.)
        
        Some evil twins are going to need a shiny object.
        
        2 0 Reply
  2. Wednesday 13th September 2017 13:43 GMT FIA
    
    Re: Biometrics
    
    I am by no means an expert but I'd go for:
    
    [snip list]
    
    The keynote implied they'd at least done some research into this. It mentioned they'd worked with film mask makers to attempt to mitigate this attack. They showed some very convincing looking masks, that were apparently used in the development process to train the recognition algorithms. I'm sure it's going to be fooled, but it did at least sound like they've considered the most obvious avenues of attack.
    
    I'm still struggling to work out why using face-rec to unlock a phone isn't viable just because the user is asleep. I don't buy that one at all[...]
    
    I didn't take this too seriously either, the same person said "Even if the new Apple algorithm for facial recognition cannot be fooled by photography, vertical self-videos can easily be found in the public domain - for example, on Instagram - and could be used to crack the device." Now, maybe they had access to prototype hardware, discovered and chose not to share this vuln with apple, or maybe they're not quite as knowledgeable as they think. (Or maybe 'possibly' just got omitted from the transcript?)
    
    Biometrics are not authentication.
    
    They say "I am shortly going to prove that I am this person" and then tell you which person that is. They DO NOT PROVE that you are that person. That's what actual authentication is.
    
    This a thousand times over!
    
    You're trading convenience for security.
    
    So long as you know this it's fine, but I fear many people don't. (My fingerprint unlocks my phone, however it doesn't log me into my banking app no matter how many times the app tries to tell me I should let it).
    
    11 0 Reply
    1. Wednesday 13th September 2017 14:50 GMT Lee D
      
      Re: Biometrics
      
      @FIA: People said the same about fingerprint readers, and then Gummi Bears foiled us all.
      
      I'm not saying they haven't looked. I'm saying that the chances of them defeating that kind of attack are slim.
      
      The precision to which you can measure a face depthmask, but still recognise it from any angle in any circumstance, with any hairstyle, etc. are very limited. Limited enough that it would be a viable attack still, no matter the amount of technology involved.
      
      The fuzzy logic that must be involved alone gives you huge scope for simple tricks.
      
      When the device is available to the general public, I give it a week or so before a viable bypass is found, with, say, even a low 10% success rate (hell, we can just have as many goes as we need to, really, just make them flux quick so they iPhone just thinks the videostream is one jerky stream of bad images rather than someone actually trying to brute-force the proper depth map).
      
      I imagine it wouldn't be outside the realms of possibility to have some kind of overlay on the camera sensor that can actually "fake" any depth you like to the same kind of resolution, either, if it's just IR.
      
      7 1 Reply
      1. Wednesday 13th September 2017 15:40 GMT FIA
        
        Re: Biometrics
        
        @FIA: People said the same about fingerprint readers, and then Gummi Bears foiled us all.
        
        I'm not saying they haven't looked. I'm saying that the chances of them defeating that kind of attack are slim.
        
        Apologies, I mistook your comment for the usual 'I'll hold up a photo, I bet they never thought of that' comment that I've read a lot of; often written as though they assume people develop these things without even considering the issue. I was just alluding to the fact they had considered this.
        
        I agree that it's a case of 'when' not 'if' though.
        
        Like with any of these things it does just boil down to convenience vs security. A face or fingerprint is probably good enough for most people, and I suppose at least if I steal your phone but don't take a picture I probably can't then lift the access method from the device.
        
        I'd be interested to know the failure tolerances though, I assume it does 'give up' after a while and enforce the use of the pin like it does with the fingerprint reader?
        
        6 1 Reply
        
        Wednesday 13th September 2017 23:17 GMT AdamWill
        
        Re: Biometrics
        
        Also remember that the vast majority of smartphone users have such a strong preference for 'convenience' it's almost off the charts.
        
        I'm actually (for once) more or less entirely positive about touch ID and face ID for 99.9% of phone users for this simple reason. I mean, the internet is full of comment threads like this about how touch ID can be 'defeated' using complex schemes involving gummy bears or whatever and face ID can maybe be defeated by, well, we don't know yet, but very likely something at least equally complex (given that Apple really does seem to have done some pretty solid work on making it resist the old 'use a photo' gag, etc.)
        
        This is all fine and dandy and very nerdy, but rather heroically missing the point. How hard was it to break into most people's phones *before* touch ID? It was about as hard as 'pick up phone, swipe screen', because most people *just didn't bother locking their phones*. They don't want to bother typing a passphrase or swiping a pattern, it's effort they're just not willing to expend.
        
        Even people who *did* lock their phones generally used a hilariously weak password or pattern and never, ever changed it. Getting into one of those is about as hard as 'try 1234' or 'shoulder surf for a few minutes until you see them enter the pattern, *then* steal the phone'.
        
        It's not like the competition for touch ID / face ID is 'a world of people who lock their phones with strong passwords and change them regularly'. It's 'a world of people who don't lock their phones or use 1234 as the password'. Given this, all the arguing about Mission Impossible-style scenarios is a bit ludicrous. Touch ID vastly improved *practical* security in the real world by making it much more convenient to have at least *some* security, to the point where lots of people use it who never locked their phones before. That's a *good* thing.
        
        It does seem to be the case that face ID isn't *really* better than touch ID in any particularly identifiable way but Apple chose to go with it because of the 'can't put a fingerprint sensor on the front' problem, and that's a decision you can reasonably question. But I don't really have a lot of time for 'well, some security researchers managed to compromise it with an awful lot of effort and time so it must be a terrible idea' dick-waving.
        
        14 1 Reply
        
        Saturday 16th September 2017 01:42 GMT HelpfulJohn
        
        Re: Biometrics
        
        If they really can not put a fingerprint sensor on the front, due to the screen filling that region, why not put one on the *back*?
        
        Or am I missing something obvious?
        
        0 0 Reply
      2. Thursday 14th September 2017 08:09 GMT Wayland
        
        Re: Biometrics
        
        As a convenient way of locking your phone it's quite good but then so is the fingerprint. However since the technology to read the face is here then so is the technology to simulate the face. Heck you could 3D print a face. It's not super secure.
        
        2 2 Reply
        
        Thursday 14th September 2017 15:02 GMT D@v3
        
        Re: 3D print a face?
        
        Sure, right after you have 3D scanned the face of the person who's phone you've just pinched.
        
        As with the 3D printer a finger print solution that has been suggested before, it seems to me the main problem with most of the ways that i have heard of to 'beat' these various methods of biometric security, involve having access to fairly complicated equipment, and time. Not things that your average mugger on the street have access to.
        
        0 0 Reply
  3. Wednesday 13th September 2017 16:42 GMT Gotno iShit Wantno iShit
    
    Re: Biometrics
    
    - bit of paper wrapped round a gummi bear?
    
    11 0 Reply
  4. Wednesday 13th September 2017 23:47 GMT billdehaan
    
    Re: Biometrics
    
    Bit of paper with a full-page photo, folded to the shape of the face that's on it?
    
    Years ago, in Japan, where they sell everything in vending machines, they started selling adult products (porn, sex toys, whatever). Of course, the government required that there be safeguards to prevent underage buyers from obtaining these products.
    
    Of course, they did anyway, and when they pulled the vending machines and looked at the photos of the buyers of all these products, they noticed a staggering number of pop stars, actors, and actresses. Although the facial recognition software was very good at differentiating between a face that was 12 years old and one that was 19, it wasn't good at differentiating between a 32 year old actress and a photograph of a 32 year old actress.
    
    8 0 Reply
  5. Thursday 14th September 2017 12:14 GMT Voland's right hand
    
    Re: Biometrics
    
    Bit of paper with a full-page photo, held over the attackers own face.
    
    Every sign printing shop has a printer which can print on vinyl sticky film.
    
    Similarly, every sign shop bod knows how to apply said film to a curved surface. All you need is a hair drier.
    
    Unless the phone scans in UV and IR as well I do not quite see how you can defeat that.
    
    1 2 Reply
    1. Thursday 14th September 2017 15:46 GMT JCDenton
      
      Re: Biometrics
      
      Read up on it a bit more. FaceID incorporates an IR camera among others. It isn't easily fooled. Amazingly, Apple thought of all this when they made it.
      
      That last line sarcasm, FYI.
      
      0 0 Reply
2. Wednesday 13th September 2017 18:07 GMT Robert Helpmann??
  
  Re: Biometrics
  
  Biometrics do not replace passwords...
  
  Precisely. Biometric measurements are fine as a method of identification, but not as a key. Who I am should establish my user ID, but it should never be used as my password.
  
  12 0 Reply
  1. Thursday 14th September 2017 10:00 GMT SAdams
    
    Re: Biometrics
    
    “Biometric measurements are fine as a method of identification, but not as a key. Who I am should establish my user ID, but it should never be used as my password.”
    
    This seems to miss a LOT of people. I’ve heard suggestions that DNA would be good for secure authentication - which is a bit like having a password you write on post it notes and leave everywhere you go!
    
    4 0 Reply
3. Thursday 14th September 2017 10:43 GMT Anonymous Coward
  
  Over Engineered. Give me an iPhone XE with just Pin.
  
  It's completely over engineered for the sake of it. I'd happily take the iPhone XE without the fancy facial recognition and just a pin, with a smaller segment cut out the top of the display.
  
  Absolutely no interest in using facial recognition. Even with touch ID, I still use a pin.
  
  I'm sure the iPhone XE (like the iPhone SE) will happen soon enough.
  
  3 0 Reply
4. Saturday 16th September 2017 01:36 GMT HelpfulJohn
  
  Re: Biometrics
  
  "P.S. I know how to defeat this"
  
  As do I. Cut the poor bastard's face off when you steal his phone. It works for fingerprints and retinal scans, too.
  
  Doing a life-like Hollywood SFX mask of the face might work, as in "Mission Impossible" movies. If you put it over your own face to fool the heat sensors.
  
  1 0 Reply
Wednesday 13th September 2017 11:58 GMT The Man Who Fell To Earth

Like fingerprints

Cops in the US can force you to unlock your phone without a warrant if it can be unlocked using biometrics. But Apple has now made it so they can just hold it up to your face, alive or dead (with eyes open). Great...

41 1 Reply
1. Wednesday 13th September 2017 13:07 GMT Lee D
  
  Re: Like fingerprints
  
  No different to fingerprints. Get you to touch ANYTHING (not even the phone) and they could unlock your phone.
  
  This is why we do not use biometrics as authentication, only identification.
  
  Identification = "I'm claiming to be Mr X"
  
  Authentication = "I have proven that I am that person".
  
  22 0 Reply
  1. Wednesday 13th September 2017 13:40 GMT Charles 9
    
    Re: Like fingerprints
    
    Then how do you deal with STOLEN credentials?
    
    1 1 Reply
2. Wednesday 13th September 2017 14:35 GMT Dave 126
  
  Re: Like fingerprints
  
  > Cops in the US can force you to unlock your phone without a warrant if it can be unlocked using biometrics. But Apple has now made it so they can just hold it up to your face, alive or dead (with eyes open). Great...
  
  Biometric ID is disabled if you tap a button five times, on the latest iOS. Biometric unlocking is also also disabled if the phone hasn't been unlocked for a period of time, or has been power cycled. Additionally, even an unlocked phone won't talk to a computer it's plugged into without the passcode.
  
  It's strange, but it's almost as if Apple have put some thought into this...
  
  12 3 Reply
  1. Wednesday 13th September 2017 14:45 GMT Lee D
    
    Re: Like fingerprints
    
    Fun prank.
    
    Press everyone's button five times, and see if they remember what the passcode they set up months ago was supposed to be....
    
    21 3 Reply
    1. Wednesday 13th September 2017 18:40 GMT Anonymous Coward
      
      @Lee D - fun prank
      
      Touch ID requires that you re-authenticate with your password every 48 hours (I think it is supposed to be that, though I think I've seen it sometimes go a bit longer) so it isn't like you have to worry about forgetting your password even if you haven't restarted your phone (which also requires the password) in a long time.
      
      I have to imagine Face ID works the same way.
      
      3 1 Reply
    2. Tuesday 28th November 2017 12:50 GMT gnasher729
      
      Re: Like fingerprints
      
      "Press everyone's button five times, and see if they remember what the passcode they set up months ago was supposed to be...."
      
      Oh, you're so funny. Do you think Apple didn't think of that?
      
      After about four days, both TouchID and FaceID don't work anymore. So you will have to enter your passcode every four days.
      
      0 0 Reply
  2. Wednesday 13th September 2017 15:02 GMT Anonymous Coward
    
    Re: Like fingerprints
    
    It's strange, but it's almost as if Apple have put some thought into this...
    
    Sure they put some thought into this - a lot of marketing thought. Like Cook's lame painting of why Apple took years to go with OLED screens. (Bought from Samsung.) And why Apple took a long time after Samsung to implement facial recognition, or wireless charging, or took a long time after Android to implement voice commands. Yet marketing each is if Apple were first.
    
    I don't have a problem with Apple's products. I have a problem with Apple's lack of honesty.
    
    22 2 Reply
    1. Wednesday 13th September 2017 16:14 GMT Wilseus
      
      Re: Like fingerprints
      
      "Yet marketing each is if Apple were first."
      
      They've been doing that kind of thing for decades, such as when they proudly proclaimed that their new Power Mac was the first RISC home computer.
      
      No it fucking wasn't.
      
      12 0 Reply
    2. Thursday 14th September 2017 06:54 GMT poopoo
      
      Re: Like fingerprints
      
      I agree with that. Apple had to be dragged kicking and screaming into environmental responsibility, then you'd think they invented it. Likewise they swore the single button mouse was so much better. I believed them, until of course I got a two button mouse.
      
      2 0 Reply
      1. Thursday 14th September 2017 16:46 GMT Anonymous Coward
        
        Re: Like fingerprints
        
        When the Mac was introduced in 1984 nobody had been exposed to a mouse before, so a single button probably made sense to avoid complication. The problem it became almost a religious dogma for Apple even after the whole world knew how to use a mouse and software was becoming ever more complex and could benefit from the extra contexts multiple mouse buttons provided.
        
        2 2 Reply
3. Wednesday 13th September 2017 15:49 GMT Jason Bloomberg
  
  Re: Like fingerprints
  
  they can just hold it up to your face, alive or dead (with eyes open).
  
  Thank fuck for that. I was trying to figure how I'd get a victim to unlock their 'X' while they were screaming and all wide-eyed in terror. Thought I might have to choose a new line of business for a while there.
  
  8 0 Reply
4. Thursday 14th September 2017 04:38 GMT JBowler
  
  Re: Like fingerprints
  
  This is why recent Android revisions have required PIN entry after a restart; previously the fingerprint was enough. If you obey the rules and shut your phone down on take-off and landing the US border control cannot open your (Android) phone. There is a risk because they have jurisdiction within 200 miles of the border, but this is a border control issue; every other law enforcement authority in the US requires a search warrant first.
  
  John Bowler
  
  1 0 Reply
5. Thursday 14th September 2017 22:14 GMT pleb
  
  Re: Like fingerprints
  
  Sure, but since at least two cops will have gooned at it already it will revert to requiring your pass code by the time they have you in a headlock.
  
  0 0 Reply
Wednesday 13th September 2017 12:03 GMT Sureo

I can't help wondering what happens when the owner dies. I suppose they'll just bury the gadgets along with the body, giving lie to the saying 'you can't take it with you'.

5 0 Reply
1. Wednesday 13th September 2017 18:42 GMT Anonymous Coward
  
  Same thing that happens when the owner dies and doesn't leave the password behind. You don't need the dead person's face, their password will do as well. If they didn't leave you their password it doesn't make it any easier if they weren't using biometrics.
  
  1 0 Reply
2. Thursday 14th September 2017 06:44 GMT Chris 3
  
  Apple requires you to have a passcode in addition to TouchID/FaceID
  
  0 0 Reply
Wednesday 13th September 2017 12:03 GMT Anonymous Coward

Has anyone tested it with black people?

35 4 Reply
1. Wednesday 13th September 2017 12:23 GMT MrXavia
  
  A scary thought.
  
  This uses a projected IR dot pattern for the 3d, in theory I could see that very dark black skin may absorb enough of the IR so that it isn't able to sense the depth, the same way that some IR sensor hand dryers/faucets wont work for black skin..
  
  You have to hope Apple have tested this with many different skin types and makeup.
  
  13 1 Reply
  1. Wednesday 13th September 2017 13:49 GMT Mongrel
    
    Or just a reference to the awesome show "Better Off Ted". Well worth seeking out if you haven't seen it.
    
    "Veridian Dynamics. Diversity: just the thought of it makes these white people smile"
    
    4 0 Reply
    1. Thursday 14th September 2017 07:52 GMT eldakka
      
      Or just a reference to the awesome show "Better Off Ted".
      
      Loved that show, I'm still perplexed to this day why it didn't have a longer run (but then, I feel that way about Firefly too).
      
      0 0 Reply
  2. Wednesday 13th September 2017 18:44 GMT Anonymous Coward
    
    Dark skin
    
    That's a good point, Apple would be in for some MAJOR criticism if that turned out to be a problem! I don't think makeup is much of a concern compared to that, since wearing makeup is a choice like wearing giant sunglasses or a ski mask.
    
    2 1 Reply
Wednesday 13th September 2017 12:05 GMT SkippyBing

Currently my phone is lying flat on my desk, I can unlock it without picking it up it with my finger or a pin and check the screen for notifications. How is a system that requires picking it up to be scanned by its camera(s) making my life easier?

Android phones have had face unlock for a while, I don't think it's concerns over the security that have prevented its widespread adoption, more the fact it's less convenient that any other method.

24 0 Reply
1. Wednesday 13th September 2017 12:24 GMT Johnr
  
  Which was my first thought ... OOOOOHHHHH Apple 10 Face recognition!!!! ,Wireless charging!!!! better camera!!!!!! or what Android has been doing already for 2 years
  
  But you know the fanboys will be lining up to pay through the nose.
  
  Fools and their money.....
  
  15 4 Reply
  1. Wednesday 13th September 2017 12:27 GMT Anonymous Coward
    
    Odd, could swear blind those Nokia's ran Windows Phone.
    
    5 0 Reply
    1. Wednesday 13th September 2017 13:07 GMT The Original Steve
      
      My 2 - 3 year old Lumia 950 XL (stop laughing at the back!) has Qi and face unlock.
      
      Sammy nailed edge screens a couple of years ago.
      
      So what's new other than wanky emojis?
      
      And £1000! A fool and their money.. .
      
      20 0 Reply
      1. Thursday 14th September 2017 07:37 GMT Whit.I.Are
        
        I had a Nokia Lumia 820 in 2012, that had Qi wireless charging...
        
        0 0 Reply
2. Wednesday 13th September 2017 12:53 GMT James Delaney
  
  <blockquote>Currently my phone is lying flat on my desk, I can unlock it without picking it up it with my finger or a pin and check the screen for notifications. How is a system that requires picking it up to be scanned by its camera(s) making my life easier?</blockquote>
  
  I think you'll still be able to do this, just tap the screen. You might have to raise it to interact with those notifications but according to the keynote it looks like you'll definitely be able to see them without picking it up.
  
  1 0 Reply
Wednesday 13th September 2017 12:06 GMT Anonymous Coward

I agree with all comments below

7 0 Reply
1. Wednesday 13th September 2017 12:18 GMT Anonymous Coward
  
  Jaffa cakes are biscuits
  
  Muffins are round bread rolls.
  
  Marmite is lovely.
  
  Theresa May is the greatest leader.
  
  Trump is super cool.
  
  9 4 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Topics

Special Features

Vendor Voice

Resources

COMMENTS

Page:

Biometrics

Re: Biometrics

Re: Biometrics

Re: Biometrics

Re: Biometrics

Re: Biometrics

Re: Biometrics

Re: Biometrics

Re: Biometrics

Re: Biometrics

Re: Biometrics

Re: 3D print a face?

Re: Biometrics

Re: Biometrics

Re: Biometrics

Re: Biometrics

Re: Biometrics

Re: Biometrics

Over Engineered. Give me an iPhone XE with just Pin.

Re: Biometrics

Like fingerprints

Re: Like fingerprints

Re: Like fingerprints

Re: Like fingerprints

Re: Like fingerprints

@Lee D - fun prank

Re: Like fingerprints

Re: Like fingerprints

Re: Like fingerprints

Re: Like fingerprints

Re: Like fingerprints

Re: Like fingerprints

Re: Like fingerprints

Re: Like fingerprints

Dark skin

Page:

POST COMMENT House rules

Enter your comment

Add an icon

Other stories you might like

Apple to allow some iPhones to be repaired with used parts

Academics probe Apple's privacy settings and get lost and confused

Apple stops warning of 'state-sponsored' attacks, now alerts about 'mercenary spyware'

Apple's failure to duck UK antitrust probe could bring £785M windfall for devs

Apple cuts hundreds of jobs after ditching the car project and more

Apple's GoFetch silicon security fail was down to an obsession with speed

Apple iPhone AI to be powered by Baidu in China, maybe

No joke: FTC boss goes on the Daily Show and is told Apple tried to block her

Apple fans deluged with phony password reset requests

TSMC's 3nm node powers up, setting stage for tech giants' next-gen chips

Woz calls out US lawmakers for TikTok ban: 'I don’t like the hypocrisy'

Uncle Sam, 15 US states launch antitrust war on Apple

About Us

Our Websites

Your Privacy