Apple’s Face ID appears to get spoofed again, but it’s complicated

The security of Apple’s iPhone X has been a topic of debate for the past week. Apple’s iPhone X security has been reportedly spoofed by a mask*, a pair of siblings** and now, a 10-year-old managed to be authenticated by his Mom’s FaceID. What’s going on with Apple and security?

Wired reports:

Attaullah Malik and Sana Sherwani made that discovery earlier this month, when their fifth-grade son, Ammar Malik, walked into the bedroom of their Staten Island home to admire their new pair of iPhone Xs just after they’d set up Face ID. “There’s no way you’re getting access to this phone,” the older Malik remembers his wife telling her son, in a half-joking show of strictness.

Malik offered to let Ammar look at his phone instead, but the boy picked up his mother’s, not knowing which was which. And a split second after he looked at it, the phone unlocked.

This isn’t a completely unprecedented scenario, much like the other scenarios of Face ID being “tricked”, Apple had noted that there are some instances with which FaceID will validate a face that looks similar to yours. This includes children under the age of 13, which don’t have “distinct” features. In the case of the Maliks, the younger child looked similar enough to both of his parents, that FaceID was able to authenticate him when setting up in less than secure circumstances –  indoor, nighttime lighting.

In truth, one can surmise that Face ID can be fooled, but it’ll be extremely difficult for any randomly chosen individual. It is much simpler to trick someone into simply unlocking their device than by attempting an unlikely spoof.

You’ll just need access to the passcode***,  and/or over 9 hours of priming, or 12-year-old child.

Let’s be clear, there is a very real risk of a family member who’s able to fool FaceID taking control of your device and using it to authenticate purchases and the like. The risk is small and there are social and legal remedies for that and if you’re concerned, put on a password and use that instead.

Biometrics will never be truly secure by their very nature, what they offer for the user is convenience. The more seamless and invisible the security is, the more users are likely to make use of it. And FaceID, much like TouchID before it, is nearly invisible to the user.

*This took a few hours of priming and could only work from certain angles.

**Unlocking the iPhone with the passcode trains FaceID to add your face to the database.

***If someone has your passcode anyway, FaceID is essentially worthless.