In a Test, 3D Model of a Head Was Able To Fool Facial Recognition System of Several Popular Android Smartphones

Forbes magazine tested four of the most popular handsets running Google's operating systems and Apple's iPhone to see how easy it'd be to break into them with a 3D-printed head. All of the Android handsets opened with the fake. Apple's phone, however, was impenetrable. From the report: For our tests, we used my own real-life head to register for facial recognition across five phones. An iPhone X and four Android devices: an LG G7 Linq, a Samsung S9, a Samsung Note 8 and a OnePlus 6. I then held up my fake head to the devices to see if the device would unlock. For all four Android phones, the spoof face was able to open the phone, though with differing degrees of ease. The iPhone X was the only one to never be fooled.

There were some disparities between the Android devices' security against the hack. For instance, when first turning on a brand new G7 Linq, LG actually warns the user against turning facial recognition on at all. No surprise then that, on initial testing, the 3D-printed head opened it straightaway. [...] The OnePlus 6 came with neither the warnings of the other Android phones nor the choice of slower but more secure recognition.

mission impossible

[e**(i+pi)-1]

is that not a bit retro? in `mission impossible' they had rubber masks which pretty much fool everybody .... not just dumb smartphones.

Re: mission impossible

Apple has many tests for these kinds of hacks that go way beyond anything reading /. will tell you

Re: mission impossible

[sarren1901]

Yep, and none of this will stop the police from holding your skull in place and forcing your index finger onto the phone to unlock it. They aren't afraid to get handsie and they tend to come in enough numbers to overwhelm you. Not to mention defending yourself against the police just gets you in more trouble.

Have fun with your "safe" phone.

Re: mission impossible

[jackson_1101]

If I was involved in the sorts of dealings that could land me in a room full of cops wanting to search my stuff , I'd be smart enough not to use facial recognition or fingerprint security.

Re: mission impossible

[jimbo]

If the RCMP wants a look at my phone I'll happily unlock it for them. What's important to me is that if a random meth-head or similar thieving opportunist steals my phone they can't grab my personal data for nefarious purposes.

If I was into serious stuff and using my daily phone for it, I'd disable biometrics. Until then FaceId is brilliant and safe for my use case.

Biometrics are generally a bad idea

[Seven+Spirals]

You can't replace your fingerprints, iris, or head once they are compromised which happens about every 10 minutes these days.

Re: Biometrics are generally a bad idea

is this like the various slapstick scenes in 101 Dalmatians?

Re:Biometrics are generally a bad idea

Speak for yourself.

Re:Biometrics are generally a bad idea

[AmiMoJo]

Biometrics are better than nothing. In this case the attacker needs to scan your head and 3D print an actual-size model of it, so it's still better than a simple pattern unlock or nothing.

It's all about understanding and evaluating the threat. Facial recognition is a cheap, fast and moderately secure system that will keep your friends and siblings and random thieves out.

People who need real security on their phones use proper passwords.

Re:Biometrics are generally a bad idea

This. Which is why biometrics are fine for user name, and not for password. No one with any technical skill ever recommends biometrics for security credentials.
Sadly the talking heads and MBAs love buzzwords and don't listen to actual code monkeys.

Re:Biometrics are generally a bad idea

That just takes a few pictures of you at different angles with a telephoto lens and a 3D printer. If this person is your stalker or a government agent, they already have the first.

Re:Biometrics are generally a bad idea

Biometrics are a username not a password.

Re: Biometrics are generally a bad idea

Telephoto lens? That's unlikely to be high enough resolution

Re:Biometrics are generally a bad idea

[CohibaVancouver]

You can't replace your fingerprints, iris, or head once they are compromised which happens about every 10 minutes these days.

How is my iris "compromised every 10 minutes?"

The only people with a hash of my iris-pair are the Canada Border Services Agency, and you can't reverse-engineer a pair of irises from a hash of them.

Re:Biometrics are generally a bad idea

[jellomizer]

True (I would like some citation that this happens every 10 minutes), However this type of information requires a targeted attack, meaning the hacker wants to break into the system with a particular persons credentials. This is a lot of work, as there are often easier ways around it. I am still baffled on why the FBI cannot break the encryption on an iPhone, where all they need to do is open up the device take out the SSD chip and download the data onto an other computer with an OS that will not delete the data and brute force try the pins. Also most hacks and break ins are not an issue of a targeted login. A phishing attack may just send out mass emails, hoping someone would think that it was their bank account and log in, or try other systems compramised logins and passwords to try with other systems. But it isn't targeted and allows a low cost for failure. Vs. having expensive equipment to duplicate your face.

Re:Biometrics are generally a bad idea

Per the story, clearly this is false, provided you're using a good system, i.e., FaceID.

Re:Biometrics are generally a bad idea

[ewibble]

That's because biometrics aren't used much, if iris scans where used to log in every web site then they would be immediately compromised the moment you logged in. Also how do you know that Canada Border Services Agency only holds the hash, did you examine the scanner code?

Re:Biometrics are generally a bad idea

[Seven+Spirals]

Also consider that cameras gain resolution all the time. Most of us who live in a city walk past multiple cameras in many situations. Humans don't have a very reflective tapetum in their eye, but some light still does get reflected out. A camera of sufficiently high resolution could capture your fingerprints, iris scan, and face with enough detail to reproduce any of the three. The are already good enough that a skilled sculptor could reproduce your face from. Fingerprints get left everywhere you go for anyone with a bit of graphite and a some clear-tape to use. So, I'll grant you that nobody is easily or frequently stealing your iris scan today, but that could change (and probably will) as imaging tech gets better. That's saying nothing about some irresponsible tech company getting hacked and losing an existing iris scan. Ultimately that machine is just scanning a 2D image that can be recreated.

Re:Biometrics are generally a bad idea

[Seven+Spirals]

I exaggerated, but we all walk past cameras every day and leave our fingerprints all over. Iris scans would only require more resolution (which gets better all the time). I share your curiosity about the PIN-brute-forcing. I'd be surprised if that hasn't already been tried or is the current state of the art for the cops already. I also agree with you about the fact that most successful authentication attacks are results of implementation errors or social engineering.

Re:Biometrics are generally a bad idea

[CohibaVancouver]

Most of us who live in a city walk past multiple cameras in many situations. Humans don't have a very reflective tapetum in their eye, but some light still does get reflected out. A camera of sufficiently high resolution could capture your fingerprints, iris scan, and face with enough detail to reproduce any of the three.

Luckily I have a wicked-awesome specially-made tinfoil hat that prevents this.

Exactly

[Artem+S.+Tashkinov]

IOW most if not all biometric authentication systems suck unless they are coupled with old boring passwords. You leave your fingerprints on everything you touch. Your face and retina can be remotely scanned, saved and duplicated. This leaves us with brainwaves but I'm not entirely sure they can't be copied as well. But you can be sure as hell brainwaves authentication will be incredibly difficult and expensive to implement for smartphone security.

Why weren't they able to crack Apple FaceID? Maybe because their 3D printer wasn't good enough as FaceID scans over 30 000 spatial dots in order to verify your identity but there were reports that it's already been cracked.

Re:Exactly

Face ID was cracked less than a month after the original iPhone X was released. In short, they're doing it wrong if they can't fool it with their head. (Most likely they screwed up the eyes. The iPhone really likes the details around the eyes.)

Re: Exactly

They can't make the company that sponsored the study look bad!

Re:Exactly

Um, how do you think they made the 3D printed head? They had physical access to the person as well. More Apple sponsored crap.

Re:Exactly

Face ID was never "cracked". There were a couple of stories where relatives could unlock a phone. None were really proven and quickly forgotten.

Anyway clearly iPhone is the superior choice here. Apple wins again. Android sucks. Whatever.

Re: Exactly

[StikyPad]

IIRC Apple looks specifically for eye movement, and probably looks at IR (aka heat) along with, or instead of, just visible light. I bet the 3D model could work using a hair dryer to heat up the outer surfaces in a lifelike manner, along with some moveable glass eyes. Not especially practical (right now), but with enough demand, a literal framework with internal heating and moving eyes could be created pretty easily, and a head model could be 3D printed around that.

Still prefer my fingerprint sensor.

Re: Exactly

[Artem+S.+Tashkinov]

I bet the 3D model could work using a hair dryer to heat up the outer surfaces in a lifelike manner, along with some moveable glass eyes.

That sounds plausible, so it's just a question of sufficient resources and time.

Re: Exactly

It doesn't look for eye movement and it doesn't measure heat off the face. It uses IR, but not that kind of IR. IR is actually a fairly large band of EMR - the type Apple uses for the iPhone is "near-infrared" while the band used for thermal imaging of human body temperatures is "long-wavelength infrared."

What it does look for is that the eyes are open and that it can see the iris. And that's almost certainly what this "3D head" was missing - eyes that the iPhone would see as being "open."

Biometrics are generally a brilliant idea

[k2r]

Thank you for pointing this out, again.
I'm sure a 4 digit code smeared on the display is a lot safer.

That is the alternative security measure for most people and thus most phones.

Biometrics that are hard to spoof within the 4 tries an adverary has before the device falls back to a 6+ character alphanumeric code are just brilliant and way more secure in real life.

Re:Biometrics are generally a brilliant idea

At least in the US, yes, the 4 digit PIN smeared all over your device is a lot safer. You see, that 4 digit PIN has been declared to be protected under the 4th amendment. Fingerprint scans and facial recognition hasn't. So nobody needs to try to spoof it, they can just force you to unlock it and hold you in contempt until you do.

Re:Biometrics are generally a brilliant idea

Should be both. What you have and what you know.

Re:Biometrics are generally a brilliant idea

[Artem+S.+Tashkinov]

You only have six attempts to guess the right password: "If you enter the wrong passcode on an iOS device six times in a row, you'll be locked out and a message will say that your device is disabled."

Good luck with that. And then it will be locked to your iCloud account which is nigh impossible to remove by anyone other Apple service centers. iPhone protection against theft is probably the best in the industry.

Re:Biometrics are generally a brilliant idea

That sounds like a good idea until you realize you unlocked your phone in the elevator to call your lawyer and the video camera now has your passcode. Passcodes are utter insecure shit.

Re:Biometrics are generally a brilliant idea

[Seven+Spirals]

aaand you miss the point ... again. You can change a fucking pin code. You can't change your iris-scan, dumbass. Not to mention the fact that you could have chose to use a password instead of a stupid ass PIN. You could have chose to use a dumbphone/dadphone and not have much information worth stealing on the device anyway, but you had to play Pokemon Go, right? We couldn't drag down your productivity by taking that away, I forgot... sorry.

Re:Biometrics are generally a brilliant idea

As tech improves, the ultimate would be a simultaneous 4 digit pin PLUS face or thumbprint, or hell all 3. The reason I say 'as tech improves', is because if it was all instant... with zero delay, then you'd only notice entering the 4 digit pin.

Re: Biometrics are generally a brilliant idea

[Zero__Kelvin]

Let's pretend you aren't a secret agent and the purpose of locking the phone is to deter theft not guard against APTs. Idiot.

Re:Biometrics are generally a brilliant idea

Biometrics are terrible, and are only useful in real life because real people would seriously consider "don't bother locking it at all" as a viable alternative to entering a strong password.

Biometrics are easy for the user, and that means they are useful in the same way that crappy cell phone cameras and cheap "range finders" before them are often the "best camera" on the basis that "the best camera is the one you actually have with you".

If you care at all about security use a strong password.
If you are concerned the password might get compromised, use a strong password, and a physical token of some sort.
If you care enough to consider that inadequate, sure toss in a biometric scanner as a placebo to make yourself feel better.

Re:Biometrics are generally a brilliant idea

[AmiMoJo]

If I were worried about a court being able to demand I unlock my phone I'd use more than 4 digits. Much more.

Re:Biometrics are generally a brilliant idea

All of these methods are a tradeoff between convenience and security. Make it too hard, and people won't set a pin at all. Because TouchID REQUIRED a PIN (as does FaceID), PIN/Password usage went UP on devices with biometric security.

Yes, if you're the kind of person that absolutely needs a 100% secure device, you probably shouldn't set biometrics up. You probably shouldn't have a smartphone either. This is a moronic false dichotomy. For 99% of the population, biometrics are by far the superior security method. You're only trying to deter casual snoopers and threats. Anyone that really wants your data will probably be able to get it one way or another.

Re:Biometrics are generally a brilliant idea

[AmiMoJo]

Aaand you miss the point... again.

Under what circumstances would you want to change your iris? Your attacker makes a copy of your iris that is good enough to fool your phone into unlocking? Then your opponent is not your younger brother or an opportunistic thief, and you picked the wrong authentication method.

If you are using biometrics as the only authentication factor in some critical application then you are doing it wrong. If you are just using it to stop your "friends" shitposting on your Facebook timeline then you are probably okay.

Re:Biometrics are generally a brilliant idea

[bob4u2c]

until you realize you unlocked your phone in the elevator to call your lawyer

Why are you calling your lawyer in the elevator? Unless your going to chat about the weather I wouldn't risk someone else listening in on the conversation. Also pass codes can be changed; your fingers, face, and voice are quite a bit harder to change.

Yes I know there are times and places you need to put in a pin (say for a debit card), in those places I usually fake a few button presses first, then put in my real pin, then a few more fake presses. Then when I'm done I lightly swipe the keypad to prevent thermal imaging from picking up heat signatures from the buttons I pressed. Am I over paranoid, maybe, that would explain why I had the bank set a 6 digit pin instead of a 4 digit one.

On the subject of pins why do we still recommend 4 digit pins? You would be insane if you have a website still using old 40bit encryption. So why are we still stuck at 4 digits for security? Let me type in a long pin if I want, say 32 digits of pi, or the first 5 fibonacci numbers. Heck I hate when sites limit me to 12 characters for passwords, if I want a 256 character password, I should be able to use that. Stop this stupid your password must include upper/lower case, x numbers, x special character, no dictionary words. I mean how likely is it that a hacker could guess that my password is "your mother likes to eat cat poop" vs a more typical "Pa$$w0rd"?

Re: Biometrics are generally a brilliant idea

[narcc]

I'm not sure how that works. Does the thief ask you if your phone is protected by a password before they take it?

Re:Biometrics are generally a brilliant idea

Unlike fingerprints, passcodes can be changed. And you can set a password of any length on Android, no need to stick with 4-digit numbers. Someone guessed your passcode? Suspecting the spooks filmed you? New passcode it is, then.

Re:Biometrics are generally a brilliant idea

[Shaitan]

The four digit pin is fine, and as someone else pointed out legally protected. Biometrics do have a serious issue, for one you just lowered the bar for biometric security to a smartphone that the carrier, feds, and Apple have backdoors into. Since those groups, and potentially their lowest common denominator of trust employee has your biometrics and can spoof them at will what are you going to use for the bank vault where you keep your diamonds?

All these mass hacks dumping credentials? Soon enough they'll be including mass dumps of biometric patterns for the users too. When your password turns up on https://haveibeenpwned.com/ you just change it anywhere you've used it and hopefully aren't using the same one in more than one place anyway. Are you going to change your Iris?

That said, if you are going to use some kind of biometric like face recognition (since your face is definitely the least secure biometric) it shouldn't be the sole form of security. The face recognition should not replace pin entry, if enabled that should be what unlocks the pin entry page. It's called two factor authentication. Now you beat the guy who watched you enter your pin, you beat the guy who 3d prints your head or even uses a picture. You also get the legal protections from being forced to enter a pin code.

Re: Biometrics are generally a brilliant idea

[Seven+Spirals]

Then you'd be a moron. Locking phones doesn't deter theft worth a shit considering they are easy to factory reset. Dumbfuck.

Re:Biometrics are generally a brilliant idea

[tlhIngan]

Thank you for pointing this out, again.
I'm sure a 4 digit code smeared on the display is a lot safer.

That is the alternative security measure for most people and thus most phones.

Actually, it is. (And on iPhone, it's a 6 digit PIN). Legally too PINs are better.

HOWEVER, people are human. And it turns out the use cases for phones is hundreds to thousands of quick glimpses at the phone throughout the day. So for the vast majority of people faced with either a PIN (or pattern or whatever), it gets in their way and it doesn't take long before the phone is set to require no PIN or other unlock mechanism.

Biometrics fixes that to an extent - fingerprints and faces can be scanned while the phone is still in motion and the phone unlocks before the user is ready, making it extremely convenient for the user to glance at it for a couple of seconds at a time. Thus, the phone can have enhanced security (i.e., a PIN) placed on it and it doesn't get in the user's way most of the time.

End result is instead of something like 70% of phones not having a PIN, with biometrics, it tilts it to around 80% of phones will have some sort of PIN or other locking system added to it, making overall security much better in the end.

Re: Biometrics are generally a brilliant idea

[Zero__Kelvin]

Tell me you aren't that fucking stupid. They pick it up and try to use it, then discovering that it is useless put it down again, or turn it in in hopes of a reward.

Re: Biometrics are generally a brilliant idea

[Zero__Kelvin]

You are a fucking idiot. Most drug addicts don't even know what factory reset is, never mind how to accomplish it. Your stupidity is astounding.

Re: Biometrics are generally a brilliant idea

[narcc]

So you use a password because you often leave your phone unattended in places filled with untrustworthy strangers?

Re:Biometrics are generally a brilliant idea

[Seven+Spirals]

Well given that fingerprints and faces are almost trivial to fake easily with items a middle-schooler has access, too, then yeah. I don't doubt that there might also be "one easy trick" to duplicate iris scans, too. Either way it doesn't matter. The point is that you cannot change your biometrics, most can be duplicated easily, and that people tend to under-utilize security. Is it a good thing so that people like you can use it for extra convenience or is it a bad thing that people (surely not yourself - oh never) would use biometric authentication when they should have used something much stronger? Do you argue with your banker that they should use a bicycle lock for their vault because it'd be easier for them to access? Convenience and security are almost always at odds. Your value judgement that convenience is better is just your opinion. The fact that you can't change biometrics is just that - a solid steel fucking fact.

Re: Biometrics are generally a brilliant idea

[Seven+Spirals]

Drug addicts... no. Can people who buy stolen phones reset them? Of course. Did grandma damage your brain with that coat hanger or what? Too bad she didn't finish the job.

Re: Biometrics are generally a brilliant idea

[Zero__Kelvin]

Dear idiot. The drug addict wants a phone to contact his drug dealer or that he can pawn. He does not have the ability to reset it, nor is any pawn shop going to accept it if he can't unlock it. They are looking for easy money, like the easy money one would get betting you have literally no knowledge or understanding of the subject matter you are pretending to grasp.

Re: Biometrics are generally a brilliant idea

[Seven+Spirals]

Wrong again. I've reset both Android and iPhones. They are easily factory reset. Thus your point is still 100% easy to see bullshit. It's just bullshit with an extra side of frustration as you clearly are angry that you've long since lost the argument.

Re: Biometrics are generally a brilliant idea

So you use a password because you often leave your phone unattended in places filled with untrustworthy strangers?

What kind of dumbass is this? Do you not live in 2018?

Re: Biometrics are generally a brilliant idea

[Zero__Kelvin]

So you are telling us you are a typical drug addict who steals phones then? Seriously, just STFU. You've already broadcast to the world what a phenomenally stupid motherfucker you are.

Re: Biometrics are generally a brilliant idea

[Seven+Spirals]

Nah, it just calls into question if you make a single cogent point that isn't easily deflated in moments or are you just a poorly skilled troll?

Re: Biometrics are generally a brilliant idea

[Zero__Kelvin]

You are a moron who is too stupid to understand what I wrote, and who I actually believe is so stupid that he thinks he didn't make a fool of himself while making it painfully obvious that he is too stupid to understand what was written.

Re: Biometrics are generally a brilliant idea

You are fucking stupid. I gotta agree with all the other ACs about that. Thieves who steal phones on a regular basis aren't a stereotypical ghetto crackhead. You take the phone and root it later. Gadget thieves have more intelligence than you do apparently.

Re: Biometrics are generally a brilliant idea

Projections like this are the reason law enforcement is a generation behind what people are actually doing, and why they're equipping themselves for bigger and bigger threats that fail to materialise.

Narratives tend to do this thing where they diminish the target's capability and intellect and then imagine some kind of criminal pyramid with a bad guy boss at the top... like in the comics... like the world is actually divided up into some kind of discrete linear hierarchy and divided into good guys and bad guys... or a series of stories designed to make important people feel specail and take away their constant, nonspecific panic.

and then people who are owned by them get upset when people don't let them keep leading the conversation...

why do you think that happens, mm?

Re:Biometrics are generally a brilliant idea

[gshegosh]

Perhaps you should ask Linus about where he took his rage control lessons. I think they'd benefit you, too.

Re:Biometrics are generally a brilliant idea

On the subject of pins why do we still recommend 4 digit pins?

I believe it's a balance between ease of use and security. Given that most of us have a handful of pins, longer ones would be too hard to keep track of while you also typically only are given three attempts to enter the pin.

I think the only times a pin should be used is when it's in combination with another form of "identification" that can be taken away from you, like a bank card, or when you have a harder password as fallback if you fail to enter the pin.

Re:Biometrics are generally a brilliant idea

[Seven+Spirals]

Perhaps you should study some Marcus Aurelius and learn to cope with the world around you as it is, not as you wish it to be.

Re:Biometrics are generally a brilliant idea

[gshegosh]

Apply your advice to yourself. Why are you so bothered about someone missing YOUR point if you're coping with the world as it is? :)

Re:Biometrics are generally a brilliant idea

[Seven+Spirals]

Life is good, man. I ain't bothered by you, him, or fuck all else. *shrug*

Apple driven test?

[aglider]

Is that possible?

Re:Apple driven test?

[mdm-adph]

Nope, it's just that Apple's face ID uses infrared -- it's probably looking for some sort of heat signature. A fake head wouldn't have that, and thus doesn't fool it.

Re:Apple driven test?

Guess Apple wants to divert attention from the fact that their facial recognition system allows anyone of Asian descent to unlock any other Asian person's phone.

Infrared?

[Gilgaron]

I have a laptop with "Windows Hello", which is a terrible name for their version of FaceID. It actually works very well after going through some sort of machine learning curve. My phone is too old to have such a feature, but my wife liked it enough to ask if we could do it with the webcam on the desktop. No-go there without a new webcam, as only some support it. I looked into it only briefly, but I believe in addition to some security features, it used infrared or similar spectrum to ensure it was looking at a real face and not a simulacrum. I would imagine that Apple may be doing something similar with their hardware.

Re:Infrared?

pick up a Kinect2 from ebay for 30 currency units. Microsoft were sending out the USB adapters for free if you could provide a valid xbox1s serial number.

it's a bit of a lump on top of your rmonitor, but it works very well.

This is frightening

If someone has a 3d printed copy of my head, they could unlock my phone and call people that I know.

Re:This is frightening

[LordHighExecutioner]

...and neither your phone nor the called people will notice any difference!

Re: This is frightening

Go outside. Your using it wrong

Re:This is frightening

...and neither your phone nor the called people will notice any difference!

Possibly! You could just train the head to say, "Uh huh. Ok." over and over.

Actually wait... this could keep me from having to talk to people on my phone...

Security

[fluffernutter]

No mobile phone is secure. Don't do things on a mobile phone that you want to keep secret.

Re: Security

I donâ(TM)t. Do you?

Especially after giving away your head

[raymorris]

Especially if you've been handing out high-quality 3D replicas of your head, don't use facial recognition and expect it to be secure.

But yeah pretty much don't expect any technology made after about 1850 to be secure. If you're a spy, a piece of paper and a one time pad might be the way to go.

Re:Especially after giving away your head

It is surprisingly easy to create 3D replicas of people's heads.

I mean, think about it: the iPhone creates a 3D model of your head just by having you look into its camera. (Granted it's using a 3D dot projector to do it, but still.)

All you need is a bunch of photos and you can construct a reasonably good 3D model. It really is that simple. Of course, for that to work, you need to be able to get a lot of photos, like from the type of self-obsessed person who can't stop posting selfies of themselves on social media. Kind of like, well, Apple users...

Re:Especially after giving away your head

[fluffernutter]

I doubt you would need more than a photo from the side and one from the front.

NAZI FAGGOT RAY MORRIS CAUGHT DEAD PROPAGANDA

Nazi homosexual recruiter RAY MORRIS pushing debunked Nazi propaganda even after corrected, #ROPE

Apple Face ID

Did Apple ever fix the âoeidentical Chineseâ Face ID problem?

Re:Apple Face ID

??? apple never has problems. It must be Asians fault.

I'm actually impressed

[Headw1nd]

Considering that humans could quite possibly be fooled by a 3D printed head in similar conditions, I'm actually very impressed they weren't all cracked. I also think this is an edge case scenario- Your phone is taken by someone who has the data, resources, and the will to make a 3D model of your head just to open it. Usually people would point to the government as a possible culprit here, but the government doesn't need to go to these lengths, they can use your actual face.

Re:I'm actually impressed

[pz]

Blinking, or other biomimetic movement, that's what ultimately makes a real head distinguishable from a statue, no matter how good the artist.

Or, if you've got a decent imaging apparatus, you can detect blood pusations in real flesh (e.g., http://news.mit.edu/2010/pulse...)

Re:I'm actually impressed

[Seven+Spirals]

Those are good ideas. It's pretty tough to believe a skilled sculptor couldn't reproduce someone's face/head quickly and with cheap materials using just a simple photo. They usually start with Styrofoam then use clay, waxes, and other items to make the face look realistic. Ever been to a wax museum? I seriously doubt you'd need to be even close to that skilled to fool a smartphone. After all, the phone has to be pretty forgiving to work for the person in different outfits, hats, weather, etc... I've known several artists that I'd bet money could do it in just a few hours work with cheap easy-to-source materials. However, if one added blinking, temperature, and other biologic factors it suddenly gets harder. It still wouldn't be impossible. You would just need to switch to using real people with cosmetic/prosthesis to make them look like the victim you want to impersonate. You just gotta make sure you start with someone who's skull is the right size. However, every additional metric you check for makes it harder.

Re:Seems fitting

Inverting reality is the weakest form of trolling. Up your game.

How about testing a Surface?

[SocietyoftheFist]

I wonder about the facial recognition built in to the Microsoft surface devices.

Doing it wrong

Biometrics shouldn't be used as an unlock key in the first place. As others have noted, keys can be (and are constantly being) compromised.

Biometrics might be a suitable substitute for the logon ID, but should never be used as a substitute for a password.

Re:Seems fitting

[jf_moreira]

Right. The smartest ones are those that pay 3x more to have the same technology, but with a fruit figure etched into its frame.

Next - ISIS testing

When ISIS chops your head off for being infidel, can it be used to unlock your phone?

Re:Seems fitting

[Oh+really+now]

Right. The smartest ones are those that pay 3x more to have the same technology, but with a fruit figure etched into its frame.

The irony of your comment is lost on you, isn't it? Especially considering the content of the article on which you're commenting.

Re:Seems fitting

[l0ungeb0y]

Yes, what matters is that it's not from Apple, who cares if the shit actually works?

Which only reinforces the obvious

[kaizendojo]

Physical security shouldn't be taken lightly. Keep your hands on your stuff.

Whoosh

[SuperKendall]

At least in the US, yes, the 4 digit PIN smeared all over your device is a lot safer.

What a hilarious gaffe you made repeating the very statement that proves you wrong!

You see, that 4 digit PIN has been declared to be protected

That protects you legally from having to reveal your passcode...

However if you think back to that sentence you copied, they know from the smears on the screen the digits of your passcode. Making it very likely they could simply guess it.

With an iPhone, if you see them holding a phone up to your face, you can simply refuse to unlock it by shutting your eyes. And if you are going through an area where you think they might try at all, you can always tell the iPhone to go into passcode only mode.

The rest of the time you get the convenience of FaceID, along with the extra security of not having to type your passcode out repeatedly in front of who knows how many cameras....

Didn't think about that one, did ya?

Re:Whoosh

[wertigon]

Obligatory XKCD: https://xkcd.com/538/

That rabbit hole goes even deeper though. Is the information on your computer worth your life? Your daughters life? Your familys life?

And yes, even government officials can, have, and will resort to the above tactics if they deem it important enough.

Re:Whoosh

[SuperKendall]

Is the information on your computer worth your life? Your daughters life? Your familys life?

That depends - for me pretty much not, but for other people it may be.

My privacy as an abstract concept is worth enough to being willing to miss flights over though, so that's all I ask of technology - to make it hard enough that someone seizing my phone would have to use more "extreme" measures to convince me to unlock something. Yes as soon as they pull out any kind of physical force I am giving them my password, because I don't have anything truly needing protecting over my health on my devices - but I value my principles enough to at least try.

On Oneplus it's just for unlocking the screen

But at least on the oneplus, the face unlock is just for the screen unlock, it's not for anything else. Not good for google pay, for banking apps, etc. Apple face ID is tighter, because they don't have fingerprint sensor anymore.

Not many resources required

[SuperKendall]

I also think this is an edge case scenario- Your phone is taken by someone who has the data, resources, and the will to make a 3D model of your head

Not shown: How many of the same phones are also opened by a printout of the face.

Doesn't take many resources to take a picture of someone's face and print it out...

That's because a lot of the Android phones that use facial recognition are doing so from a single camera with no depth map, the way the iPhone works.

So soon

[Impy+the+Impiuos+Imp]

Interesting, but this isn't the first 3D printed body part to convincingly mimic the real thing.

Re:Seems fitting

[JoeyRox]

Wasn't a troll. I can't stand Apple myself but they're the lesser of two evils when it comes to smartphones - I would never trust my data and privacy to the Android platform.

Re:Seems fitting

[Shaitan]

A company obsessed with a completely closed platform and total ownership of that platform is never the lesser of two evils.

That said, if you are already using a smartphone connected to a carrier it's a little late to pretend the security of your data and privacy are important to you. You already sold them for convenience. At that point the questions are how many Johns; do you speak greek; what are your rates; and about just a little metadata?

next step: direct digital face model

[dmahurin]

The next step is you attach a device to the phone which has independent displays feeding each camera.
After you calibrate the signal, you can pass you can pass your AR world with a dynamic fake head, that blinks and moves.

Should be closer to reality and you don't have to carry around a fake head to unlock your phone ...

I guess for security, you could use such a device to increase security, by using a fake head model that is not your own or even real. Perhaps Luke Skywalker with bunny ears.

Perhaps a randomly generated head/face...
Perhaps a horse head combined with a stapler.

Yes, turning face recognition into a holographic password. Probably not really practical or useful.

Can't force your eyes open

[SuperKendall]

Yep, and none of this will stop the police from holding your skull in place

Even if they do that as long as your eyes are closed it won't unlock the phone.

Especially if you saw there might be an issue and tapped the power button five times, which makes all iPhones require a passcode to unlock instead of biometrics...

Apple is the only one with a truly secure approach, in public view use biometrics to unlock your device, instead of using your password in public in view of many cameras. Then when entering secure zones with risk of phone examination, switch to passcode only until you are through.

Re:Can't force your eyes open

[quenda]

Apple is the only one with a truly secure approach,

Number 538!

I am shocked, shocked I tell you!

[WillAffleckUW]

Who would ever think that all the methods that have continually worked over and over to defeat biometric methods would continue to work?

P.S.: Train your data sets with reality, not with artificial segments of reality.

You know nothing about this Ken Doll

THERE WILL BE CONSEQUENCES NAZI INCEL FAGGOT KEN DOLL.

Filter error: Don't use so many caps. It's like YELLING.

THERE WILL BE CONSEQUENCES NAZI FAGGOT KEN DOLL

THERE WILL BE CONSEQUENCES FOR YOUR LIES FOR YOUR ENTIRE FAMILY NAZI INCEL FAGGOT KEN DOLL.

Filter error: Don't use so many caps. It's like YELLING. Filter error: Don't use so many caps. It's like YELLING.

You don't understand biometrics

[Brannon]

Your face is obviously not a secret, but authentication doesn't require secrets. How do you authenticate your wife everyday?

You trust your eyes, and you trust that [eventhough it's technically possible] it's not worth the substantial effort it would take for someone to try to fool your eyes.

Biometric security works the same way. The iPhone has a pretty bullet-proof & un-hackable chain of trust between the 3D sensor and the authentication circuitry--and it's really difficult & expensive to try to trick those circuits with a complicated 3D model. That's the whole ball-game. For the most part there are no secrets involved.

Re:You don't understand biometrics

[Seven+Spirals]

Good luck authenticating folks in IT without secrets. That'll go over great at your next security meeting, I'm sure. Maybe they will let you in now that you just passed your CISSP and are obviously another "security expert" with all the proper condescending buzzword bullshit lectures that entails. Suggest they switch corporate authentication to "handshake and a smile" and see how everyone will finally recognize your genius.

using face ids in digital dentistry has errors too

As a Dentist i would like to state that face id recognition systems are compromised too. We face a lot of probs with 3S shape system in our Nice post Dental Clinic too.

Passwords

[Translation+Error]

Instead, use a strong alphanumeric passcode, recommended Matt Lewis, research director at cybersecurity contractor NCC Group.

And if you want to make your strong passcode even more secure, configure your phone so it doesn't briefly show each character of your passcode as you enter it. Looking over someone's shoulder is even easier than building a fancy fake head.

I'm sorry the world is changing too fast for you.

[Brannon]

I have no idea what a CISSP is and couldn't care less. There's nothing trendy about facial & voice recognition for authentication--it's literally how humans have authenticated one another for the last several millenia. It works really well and it's very hard to trick (despite Mission Impossible 3D mask BS). Critically, it *does not* rely on secrets (although it does rely on 'trusted hardware'). I realize that's hard for you to understand, but take a minute and think hard--you'll get it. I believe in you.

Re:I'm sorry the world is changing too fast for yo

[Seven+Spirals]

Let me know how that meeting with security goes. I'm sure they will love your "just use faces" idea. If they don't, lecture them about the world changing too fast. Maybe that'll somehow lend some credence to your ridiculous point.

Re:Seems fitting

Android is totally open source, so what you're saying is you would never trust your data and privacy with yourself.

Re:Seems fitting

[JoeyRox]

I'll take the company obsessed with a completely closed platform over a company obsessed with monetizing every last piece of privacy their customers thought they had.

As for the carrier and my data and privacy, how exactly are they able to peer into my data considering all of it is encrypted at rest on the iPhone and all of it that moves off my phone over their pipes is encrypted as well?

Hardly news

Face recognition systems have been fooled/stymied by photographs, masks, certain patterns of makeup/hair styles, etc... for years.

There will always be passwords

[Brannon]

Secret-based authentication is a reasonable approach--that's one factor. Biometric (face recognition) is another factor. Put them together and you have 2-factor authentication. That's a fine solution for when you need the enhanced security provided by 2-factor authentication.

The whole thread was about your little tantrum that "you can't change your face". That's childish little quip is borne out of you not understanding that biometric authentication doesn't require secrets--and thus there's no reason to ever have to change anything because of concern that the "secret has escaped".

You now kinda understand that, but you're still pouting, mostly likely because the world is changing and you can't deal with that.

Re:There will always be passwords

[Seven+Spirals]

As others have already said repeatedly, more succinctly, and with less hand-waving, tap-dancing, backpedaling bullshit: Biometrics are a username, not a password. You can't see any difference between someone disagreeing with you versus actually being mistaken. The world *is* changing, but as it thrashes through a lot of trial and error with new technology trying to get it right, there are missteps. You seem to be allergic to anyone pointing out those missteps because you have too much emotional investment in the idea itself. You accuse me of not being able to deal with the change in technology, but you can't even deal with the change to your idealized image of what the tech *should be* rather than how it's actually implemented. Now put down the huffing rag and get back to the drive through window, bro. Customers are waiting.

A username provides zero protection.

[Brannon]

If my phone was only protected by a username then you could get into it easily, since my username is not a secret. But if you had my phone in your hand right now there's no reasonable way you could get into it--even if you had a picture of my face or hell even if you had a full 3D model of my face. So explain to me how FaceID is no better than a username.

The problem is this: stupid IT morons can't understand secret-less authentication, they only understand username:password. They keep trying to understand biometric authentication within the paradigm of username:password--and since your face can't be a password then it must be a username.

Literally everyone else on the planet understands FaceID perfectly--because it's exactly the same as how they authenticate other humans every day. And so unsurprisingly, nearly every one on the planet understands security better than stupid IT morons.

Re:A username provides zero protection.

[Seven+Spirals]

You are high. Nobody cares if you think single-factor-use-your-face is a great idea except other people wearing black turtlenecks and hornrims using consumer grade devices and having no actual need for security beyond "good enough" which is all it's meant for along a continuum of smartphone options (mostly poor ones). You have apparently never heard of costumes, impersonation, sculpture, 3D printing, fiberglass, fake hair, latex, disguises, actors, or any number of other zillion year old "technology" that can be deployed fairly readily to foil it, no "6 tries" needed. You must have been down for nap-time when story after story hit the net about facial recognition being fooled easily by photographs and other simple measures. The newest tech is better, sure, and FaceID is more sophisticated than some, but not infallible and not nearly good enough to rely on as a sole factor for anything beyond impersonal casual security where no other security would have been used otherwise. You keep bringing up "humans authenticating" one another by their faces. It's pathetically simple minded to conflate recognition with authentication and overlooks a very obvious flaw: humans get fooled all the time! Easily! Again go look up "costume" or "disguise" or "make up" and blow your mind with some new ideas you appear to have never encountered before!

So now you're just lying

[Brannon]

Show me a single news story of somebody fooling FaceID with a photograph. It doesn't exist because FaceID *DOESN'T USE THE CAMERA*!

Pretty much nobody uses more than single-factor for access to their smartphone. The whole point of FaceID (and TouchID before that) is that most people were still using 0-factor. Decent security is better than no security.

You are falling into the classic security myth that if security isn't perfect then it is useless. People who understand security know that ALL security is imperfect, the whole point is to increase the cost of defeating the security to the point where it is nolonger economical and criminals move on to an easier target.

Re:So now you're just lying

[Seven+Spirals]

Dude, you can't make shit up then argue with yourself. Well, you can, I guess, but I won't participate in that. I never said half the shit you are straw-manning up. At this point you are just arguing with your own lack of reading comprehension. Like I said, you are high and a bit retarded. I'm sorry the world is too complex for you.