Hacker News new | ask | show | jobs
by crindy 3146 days ago
This seems like a silly way to think about FaceID. You’d need 1000+ people to all try their faces on each other’s 1000+ phones to get the 50% chance of unlocking. That’s not the scenario biometric authentication is built for, which is why the phone would require a password after 5 failed attempts.
2 comments
mjevans 3146 days ago
The problem with that is the ease with which anyone can compare their input to the 'key'; externally.

You could very quickly rule out 95% of the field with little effort, and people already do things like say "you look so much like X": we have a short list of collisions already.

link
katastic 3146 days ago
Exactly. I'm more worried about if someone can make a mask of someone's face (or even a print out) and get it to work.

But at least it's not like people have pictures of their faces plastered across every social network...

... crap.

link
gnicholas 3146 days ago
As others have said, those who have tried masks haven't worked. But I wonder if normal masks have different heat signatures than real faces, which an IR array can detect. It's possible that something as simple as standard mask + heat would fool the system. Hopefully not!
link
zwily 3146 days ago
Wired gave it a pretty good go: https://www.wired.com/story/tried-to-beat-face-id-and-failed...
link
mikeash 3146 days ago
Apple specifically mentioned testing with high-end masks, and there have been videos made about people attempting it. It doesn’t work.
link
ballenf 3146 days ago
I agree and it wasn't the intent of the question. More of a purely academic way of putting "one in a million" into more human terms. And it didn't work, since I can't picture a room of 1250 people doing this, like you rightly point out.

But I also don't think the "brother who already knows the phone PIN code" a real world attack vector of concern to most people. I get that it could be an issue in narrow situations: you share your pin code, lookalike sibling uses it to "train" your phone; you change passcode not realizing that phone will still unlock for now-untrusted sibling.

Even in that scenario, I would bet that after a few days of normal usage by the phone's rightful owner alone the attack wouldn't work anymore. But, it's too soon to know.

link