Well, in theory it is not.
A few days ago, I came across WIRED’s attempt to fool Apple’s new Face ID security system. They made a cast of an employee’s face and then produced five different masks from that cast, all made from different materials. Their thinking was that Face ID’s infrared camera might reject certain materials if they were not similar enough to human skin. To make a long story short: WIRED’s attempts ended in vain.
This sparked my interest. Surely, Face ID cannot be impenetrable. When Apple first released its state-of-the-art Touch ID feature, which they were so proud of, it was hacked within a matter of days. I was expecting (and hoping for) the same results when it came to Face ID. My wishes will eventually be granted: Apple’s new security system will be spoofed. So far, though, my expectations have not been realized.
At first, I assumed that Apple was relying on primitive methods of 2D facial recognition. To make this method more secure, they would have done some special programming that requires a user’s face to match more data points than usual. Obviously, Apple would not let anyone know what those were. I had devised a simple way to determine what those extra points were. Those points could then be isolated and focused on when it came to face replication. It was perfect… and easy.
Turns out, it was too easy. I did some online research and came across their official overview. Apple was not relying on 2D facial recognition; they had transcended to three-dimensional methods. They actually create and keep a 3D map of your face. When a face attempts to unlock the device, another 3D map is taken of that face. The two maps are then compared against each other. If Face ID decides the two three-dimensional maps are enough alike, it considers the faces to be the same and unlocks the device.
This means that WIRED’s attempts at fooling the iPhone X were probably pointed in the right direction. Apple’s advanced method of facial recognition can only be fooled by creating some type of 3D object that closely resembles the face’s x, y, and z coordinates. Eye depth, how far the nose protrudes away from the face, how fat the lips are, and much more would have to be taken into consideration. On top of that, the material would have to react to an infrared camera the same way human skin would. Apple also requires that the eyes of the face be looking at the device to prevent accidental unlocks.
Although I cannot attempt to hack Face ID myself because I lack an iPhone X and the time necessary, I have some thoughts on what it would take when attempting to do so. My hope is that someone will come across this and give it a go.
The first thing to do is find the appropriate material, if it exists. The material must react the same way human skin does when exposed to infrared. The internet will most likely reveal the answer. However, if it does not, using an infrared camera to take images of different materials and comparing them to images of human skin would be a fairly easy way to figure this out.
Perhaps a majority of materials behave the same way to infrared and this is not too much of an issue. In which case this problem has unraveled itself.
Ideally, a three-dimensional model of the face can be rendered in computer software and then printed using a 3D printer. Or, if not possible, techniques similar to WIRED’s methods can be used and improved upon. For instance, I would not suggest making a mask. Doing so presents several issues when it comes to putting the mask on someone’s face: nose thickness, deeper eye recession, etc.
The replication should be a stand alone object. Apple may also take eye color into effect, so beware of that one.
Keep in mind that the idea here is not to create a replication that only looks like the original face to the human eye, but one that is indistinguishable even to an infrared camera. WIRED did not do this and it may be why they failed. I would suggest making use of an infrared camera and seeing how the replication compares to the original in an infrared image.
It is always a possibility that Apple will release a developer’s guide, allowing the use of their Face ID security system within apps. In which case, it may allow developers to raise or lower the threshold Apple uses to determine if a face is similar enough to the original. If so, this would be incredibly useful to those trying to figure out ways to spoof it. By raising or lowering the bar, replicators can use it to determine what changes to their face bring them closer or push them further from spoofing the highest possible threshold.