With the iPhone X, Apple ditched the fingerprint scanner (Touch ID) and replaced it with Face ID. Apple has always billed Face ID to be more secure than Touch ID. And while bypassing the biometric security isn’t easy, it is possible. Security researchers at 2019 Black Hat conference revealed a possible flaw with facial biometrics. Also Read - Apple to add Face ID on Macs with smart Auto-Wake feature, patent suggests
How researchers bypassed Face ID
According to researchers, once can use modified glasses to bypass the biometric security medium. “By merely placing tape carefully over the lenses of a pair of glasses and placing on the victim’s face the researchers demonstrated how they could bypass Apple’s FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up,” a report on Threatpost said. Also Read - Apple iPhone 2021 may feature both Face ID and under-screen Touch ID features: Kuo
Researchers took advantage of ‘liveness’ feature of the system. It detects if a person is looking at the device. “They discovered that the abstraction of the eye for liveness detection renders a black area (the eye) with a white point on it (the iris). And, they discovered that if a user is wearing glasses, the way that liveness detection scans the eye changes.” Also Read - Apple may allow Face ID and Touch ID for iCloud web sign-in; testing in iOS 13 and macOS Catalina
They then demonstrated the same by creating modified glasses by using white and black tape. In the demo, researchers showed how to bypass security and transfer money using mobile payments. Apple, in a support document explains that Face ID was designed to avoid spoofing by masks and other techniques. To achieve this, it uses neural networks. As an extra layer of security, Apple also has an attention-aware feature.
How companies can tighten the security
While researchers have found a way to bypass facial biometrics, the exploit is very difficult to pull off. In terms of mitigation, researchers suggest manufacturers to add identity authentication for native cameras. They also recommend to increase “the weight of video and audio synthesis detection.”