iPhone Face ID not fooled in fake head test as Android rivals fail
A 3D-printed head has shown that while Apple's Face ID is a secure biometric authentication system, other facial recognition systems used by Android-based smartphones are able to be fooled and unlocked by the fake cranium.
A 3D-printed head used to test smartphone facial recognition systems (via Forbes)
While facial recognition has been around for some time, the arrival of Face ID on the iPhone X prompted the biometric authentication type to become more commonplace. While more popular to use, Android versions don't use the same TrueDepth camera array and 3D-scanning technology as Apple, with the use of a single 2D image potentially making them susceptible to attack.
A recent test of four Android smartphones and an iPhone X was recently performed by Forbes, to try and fool the face-based security systems using a replica head. Produced by the UK-based Backface, a subject's head was created into a 3D image that was then 3D printed to life-size proportions using gypsum powder, at a cost of around 300 ($380).
For each test, the smartphones were registered to the real head of the subject, before being tested against the fake version. Notably, while the Android smartphones were all able to be beaten by the plastic face, the iPhone X was the only device on test to successfully prevent access in all instances.
The iPhone X was tested alongside the LG G7 ThinQ, the Samsung S9, Samsung Note 8, and the OnePlus 6.
The LG's initial test opened up straight away, though it is noted there was an update where LG improved the facial recognition system. After the update, it was much harder to unlock with the fake head, but it was possible under the right lighting conditions. The OnePlus 6 also opened relatively quickly.
The Samsung S9's facial recognition was defeated after multiple attempts, with varying angles and lighting, but its iris recognition system wasn't able to be beaten. The Note 8 offers two speeds of facial recognition, with the quicker option obviously less secure, but both were able to be beaten with some adjustments to the environment.
It is notable that, in the case of LG and Samsung, warnings are provided to the user about the facial recognition making a device "less secure," and that it could be unlocked by people or objects that resemble the user.
While most Android devices use a single camera lens for facial recognition, Apple's Face ID produces a depth mask of the user's face, providing a true 3D representation for authentication that is less easily fooled by printouts and other simple attempts to defeat it. At the iPhone X's launch, Apple also claimed it worked with professional mask makers and makeup artists in Hollywood during its development, and produced its own masks to train the onboard neural network.
That said, Face ID is not entirely unbeatable, as shortly after launch, two elaborate masks were able to defeat it, including one that cost just $200 to produce, but considerable effort and knowledge was required for its creation. It is also possible to be fooled by identical twins, and in one case, by one user's 10-year-old child with a familial resemblance.
A 3D-printed head used to test smartphone facial recognition systems (via Forbes)
While facial recognition has been around for some time, the arrival of Face ID on the iPhone X prompted the biometric authentication type to become more commonplace. While more popular to use, Android versions don't use the same TrueDepth camera array and 3D-scanning technology as Apple, with the use of a single 2D image potentially making them susceptible to attack.
A recent test of four Android smartphones and an iPhone X was recently performed by Forbes, to try and fool the face-based security systems using a replica head. Produced by the UK-based Backface, a subject's head was created into a 3D image that was then 3D printed to life-size proportions using gypsum powder, at a cost of around 300 ($380).
For each test, the smartphones were registered to the real head of the subject, before being tested against the fake version. Notably, while the Android smartphones were all able to be beaten by the plastic face, the iPhone X was the only device on test to successfully prevent access in all instances.
The iPhone X was tested alongside the LG G7 ThinQ, the Samsung S9, Samsung Note 8, and the OnePlus 6.
The LG's initial test opened up straight away, though it is noted there was an update where LG improved the facial recognition system. After the update, it was much harder to unlock with the fake head, but it was possible under the right lighting conditions. The OnePlus 6 also opened relatively quickly.
The Samsung S9's facial recognition was defeated after multiple attempts, with varying angles and lighting, but its iris recognition system wasn't able to be beaten. The Note 8 offers two speeds of facial recognition, with the quicker option obviously less secure, but both were able to be beaten with some adjustments to the environment.
It is notable that, in the case of LG and Samsung, warnings are provided to the user about the facial recognition making a device "less secure," and that it could be unlocked by people or objects that resemble the user.
While most Android devices use a single camera lens for facial recognition, Apple's Face ID produces a depth mask of the user's face, providing a true 3D representation for authentication that is less easily fooled by printouts and other simple attempts to defeat it. At the iPhone X's launch, Apple also claimed it worked with professional mask makers and makeup artists in Hollywood during its development, and produced its own masks to train the onboard neural network.
That said, Face ID is not entirely unbeatable, as shortly after launch, two elaborate masks were able to defeat it, including one that cost just $200 to produce, but considerable effort and knowledge was required for its creation. It is also possible to be fooled by identical twins, and in one case, by one user's 10-year-old child with a familial resemblance.
Comments
If it wasn't broken (as in insecure), and they can build a near-bevelless smartphone by using new tech that allows for under-screen fingerprint sensing why even bother with face-scanning? Marketing I suppose.
Me, I'm waiting for Apple to fold FaceID into the Apple Watch, and other appropriate devices, which would be notably superior to Touch ID, IMO. Not seeing why you care, other than the OP was comparatively unfavorable to Android OS devices.
No, IMO rather than for security itself the reason Apple went to FaceID was to allow for a larger screen which is something some percentage of Apple buyers were wanting. Having to choose one or the other appears to no longer be a technical requirement. As little as a year ago it was.
As for the "marketing" comment I made I meant Android OEM's doing so mostly for that reason and not Apple.
So for me at least, the product is much more user friendly. That's the goal of devices like phones...to just work.
Besides, I'm not really understanding why you care who has an opinion to share in an Apple vis a vis Android thread.
Chances of finding an identical fingerprint: 1 in 50,000
Chances of finding an identical face: 1 in 1,000,000
So unless you have an evil twin, facial recognition is more secure. It's just the Android implementation that isn't
So no, it's not just marketing.
As someone who lives in a northern climate, being able to unlock my phone without removing my gloves is a pretty big thing.
The entire point of the X and beyond is the new size, dropping the forehead and the chin to get a bigger screen in the same shell size. This was achievable only by using Face ID sensors. As an actual iPhone customer, I love this. I get more space without a significantly bigger phone.
The Bkav claim was obviously a scam to gain traffic/hits. Ars asked them some very blunt and specific questions about how they conducted their tests and they either didn't answer or they provided vague unrelated answers.
Everyone knows during the enrollment/learning phase of FaceID that if a PIN is entered after a failed facial recognition that FaceID will "learn" by also including attributes from the recently scanned face. So Bkav likely committed fraud by using this method to also learn the mask (in addition to the users face) to get it to work. It's the same as when early tests showed two people unlocking the same device.
It's funny that nobody has duplicated their results. Any bad press about Apple generates a huge amount of traffic, and someone legitimately tricking FaceID would have found the "Holy Grail" for Apple haters and would become an instant hero in their eyes. The potential reward for fooling FaceID is substantial, so why aren't we seeing people trying this?
Yup. I have Touch ID on my iPad, Face ID on my iPhone, and guess which I have more issues with? Moisture on finger on the Touch ID.
There's no more proof than this repeated pattern that these copycats just don't get security well enough to do it correctly. They are only concerned with following Apple and pretending to be "good enough".
In other news.....
Tell me about it? Where's the media uproar over inferior knockoffs? #FaceGate? Class action lawsuits?
Oh but #EvilTwinGate is a real problem.
Security-wise I doubt there is a single member here concerned about TouchID on any of their devices being insecure or exposing them to unlocks by a thief, friend, family member, or random stranger.