Face ID is a huge step forward.

Nov 17, 2017 · 6 mins read · Costantino Pistagna · @valv0

Face ID is a huge step forward.

Straightforwardly, the game is all played on the A11 Bionic chip. The screen is a gorgeous never seen OLED display and the battery is lasting more, sure. But the only and real big difference with the younger brother iPhone 8 is the little camera put in the highly discussed Notch space on the top of the iPhone X.

Modern security, at the time of Internet, is based on passwords. There is a password for everything: bank, email, social networks, anything. Sequences of characters that could be repeated or not fortifying access to our most intimate secrets. Computers going faster? No problems!, we increase the complexity of the password. It is a consolidated mechanism. As well as the techniques to attack it: if you know the password you’re in.

It does not matter how you got it. You might have tortured your target or you might have kidnapped a family member. It does not matter. If you know the password, you can enter. What is missing from current systems is precisely this: the concept of context awareness.

A password is a discrete sequence of bits. If you know them you can come in without any context.

Let’s imagine for a moment an imminent future, in which our iPad recognizes us even before we get access to the main screen. But what does mean to recognize?

To recognize, in one of its simpler computer security assumptions, means showing and matching the answer to a particular question that only two players know: the owner of the device and the device itself, in our case.

If the computing power increases, passwords are easily discovered and in the era of data mining we are no longer safe either behind 8192 bytes of security. It is necessary to add a new degree of complexity without complicating the concept itself. Indeed, it would be better to simplify it. Apple’s Face ID was born as a response to these challenges.

Let’s start by saying: “No, please. Face ID is not the same visual protection mechanism that comes with Samsung Note 8.”

These systems, in fact, fall into the concept of password. Simply and fast: they match a biometric feature — fingerprint or image captured by the camera — to a unique string that is sent as password. Nothing more: “at line corresponds bit and vice versa”.

Why is Face ID different? By using special built-in registers and instructions, Apple’s A11 Bionic processor accelerates and makes supervised learning operations fast and simple.

To be slim and computationally efficient, these computations need to be done over specifically crafted samples. The samples, as a result, cannot come from a normal camera. On the latter, in fact, there are too many problems of false positives, noise and tons of unnecessary informations that are completely useless in such computation.

Special infrared cameras — the famous TrueDepth sensor — have been used to discern with mathematical certainty the features of the face.

Fig.1

Up to here, there are still no differences between Face ID, Touch ID, and Android smartphone with visual recognition from the camera: rawly speaking, biometric characteristics are remapped to strings used as passwords.

What makes Face ID different from everything else is the software component.

Your face characteristics are passed to a supervised learning engine that tries to isolate and make more precise those discrete features pulled out from the infrared sensor above.

The famous 30,000 points projected on the face serve just to this.

Whenever the scene differs too much from the features retained by the A11 Bionic chip, the system takes a new snapshot, asks for the password on the keypad as confirmation and these new data are added to those already existing according to a secret heuristic known only by Apple.

Clearly, this computational weight is expected to grow over time: snapshots are becoming more and more numerous as well as false positives that unintentionally will arrive.

Known Attacks shown

Let’s digging into informations that are circulating in these weeks. A Vietnam security group, Bkav, has violated Face ID with a $150 artificial mask.

On Youtube, a funny family is unlocking an iPhone X, previously setted up with the father face, with the help of their little boy’s face, barely adolescent.





and what about the two twins that unlock the phone without too much troubles?





What is going on? Apple has become silly? Absolutely not.

Apple, with its Face ID mechanism, is trying to make a new leap forward by adding the concept of context awareness as complexity to the recognition equation.

Unlock the device only if you are awake and watching the screen; avoid unlocking the device with your face if your facial expression has a scared or worried expression.

These are just two example of how much complex can be the new recognition pattern that Apple is trying to build.

It’s not enough that the face is the one biometrically stored — the string — It is also necessary to extrapolate the context in which you are trying to unlock the device.

The A11 bionic chip and AI behind Face ID try to do this. Clearly this is the first large-scale attempt up to date.

Why the above attacks are not an issue?

To understand this we have to go back a bit and add a new concept: volunteering of the target.

In all cases mentioned above, the target to be attacked is conscious of being. Moreover, he is collaborative in the common end with the attacker to violate the system. That is, he acts as an enemy of the system itself.

Clearly, under these conditions, the basic concept of system violation loses meaning. In doing so, in fact, the AI learning engine is voluntarily altered by showing alternating false positive and negative appropriately crafted, validating them with the keypad password requirement.

Undoubtedly, there is a a very interesting research work behind these concepts demo that point out weakness that can be improved in the algorithm and the general engine. But to do this, it takes time and statistical data. This does not mean that we have to worry about it. The Face ID mechanism is absolutely robust and safe for normal human use, and it will be more and more. It’s just a matter of time, work and research.


Costantino Pistagna
Costantino Pistagna · @valv0 Costantino is a software architect, project manager and consultant with more than ten years of experience in the software industry. He developed and managed projects for universities, medium-sized companies, multi-national corporations, and startups. He is among the first teachers for the Apple's iOS Developer Academy, based in Europe. Regularly, he lectures iOS development around the world, giving students the skills to develop their own high quality apps. While not writing apps, Costantino improves his chefs skills, travelling the world with his beautiful family.