Has the iPhone X’s Facial ID Security has Already been Broken?

It has been reported that someone claims to have broken iPhone X’s Face ID security already- but even so, people are surprised at just how quickly Apple’s hi-tech new Face ID for iPhone X seems to have been ‘pwned’ – with researchers able to get through the facial scan used to ID owners. Vietnamese security firm Bkav claims to have broken Face ID (although it’s yet to be confirmed by other security firms) with a simple mask.




Mark James, Security Specialist at ESET 

“Although the video itself does leave a few questions to be answered, we need to understand that any of the “extra” ID features of this, and indeed any previous, iPhone have always been aimed at the average user. TouchID and Facial recognition are there for ease, not added security; both of these features can and have been duped by technology- the question you need to ask yourself is “ does this feature make my life easier?”. If the answer is yes and your phone just contains the “normal” run of the mill level of private stuff, then your good to go. If you’re a high profile celebrity or government official, then you may need to ask yourself how much effort someone would go to, in trying to replicate your fingerprint or face. Any security feature has the chance of being replicated or “hacked”- but it often takes time, effort, and a fair bit of money and/or expertise to do so.”


Lee Munson – Security Researcher at Comparitech.com 

“The live unveiling of the new security feature on Apple’s latest flagship iPhone appears to have been a portent of what was to come as Craig Federighi’s issues with unlocking the device have given way to a far bigger problem.

Even though Face ID has not been touted as completely fool proof, it has been portrayed as offering a high level of security. The fact that it appears the use of a mask can circumvent it would suggest otherwise though.

That said, the typical iPhone X owner is not going to be at risk of such an attack, but companies issuing the latest handset to employees, or allowing the use of personal devices on their networks, may wish to take a long hard look at their mobile device management and bring your own device policies.”


Javvad Malik, Security Advocate at AlienVault:

“With any new security technology, particularly at mass consumer level; there will always be attempts to circumvent in new and creative ways.

Much of this comes down to the risk tolerance and models of individuals. Generally speaking, face ID, much like touch ID or even passcodes provides sufficient protection for most users under most scenarios. Of course, if a user is worried about threats from well-funded adversaries, organised crime, or governments, then additional security measures will need to be taken above and beyond what most consumer devices offer.”


2Josh Mayfield, Director at FireMon:

Apple’s facial recognition was never intended to be a security measure for strong authentication.  The hype around the automated log-in from staring at one’s phone was meant to give the user ease, rather than hardened security to prevent unauthorized access.

The trouble with facial recognition is that too many humans have defining characteristics that cannot be dissected by a machine – we look too similar.  The reason CAPTCHA is so effective is that there are subtleties that only a human eye can assess and accurately confirm. 

The second trouble with Apple’s facial recognition is that it seeks confirmation rather than disconfirmation.  When you begin with the goal of confirming, you will quickly squeeze every new variable to fit your desired outcome.  When this bias is written into the systems machine learning, the only outcome is loosely associated facial features confirmed as authentic.

From a security standpoint, the method of confirmation is contra to legitimate security.

Each attribute on a face is builds a cumulative case for the machine’s confidence that the user is the right one.  This means that facial characteristics that are not ‘right’ will not stop the machine from confirming the person as authentic.  Like a lawyer making a case out of disconnected and merely corroborative evidence (when lacking the smoking gun), the machine gets things close enough and uses probability to confirm the identity.  But probability is not certainty. 

Strong authentication cannot be faked, gamed, or manipulated.  Apple’s facial recognition begins with the opening assumption that the user gazing at the screen is likely to be the correct user.  From there, the recognition system only seeks to confirm its assumption…never to seek to prove its assumption wrong.”


Paul Norris, Senior Systems Engineer – EMEA at Tripwire:

“Time and effort were involved in creating the mask that fooled the Face ID recognition software. Detailed dimensions would have to be taken to create the mask, and the security firm alluded to the fact that they had to use a special material on the mask too. What they didn’t disclose was how many attempts and what level of effort it took to get the mask to work flawlessly.

Is this really a risk to iPhone X users? Apple will disable the Face ID after five attempts, and force the user to enter a passcode, which should be secure. Apple accidentally demonstrated this feature during their keynote session where the iPhone X refused to unlock during the live demo due to unrecognised faces being present prior to the demonstration.

To use Face ID, there must be a passcode set up on the phone. The iPhone will prompt you for the passcode for additional security validation when:

  • The device has just been turned on or restarted.
  • The device hasn’t been unlocked for more than 48 hours.
  • The passcode hasn’t been used to unlock the device in the last six and a half days and Face ID hasn’t unlocked the device in the last 4 hours.
  • The device has received a remote lock command.
  • After five unsuccessful attempts to match a face.
  • After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.

In order to compromise Face ID authentication, the attacker would have to have a detailed map of the face of the user, create a mask that would map the exact details of the victim’s face, unlock the phone within five attempts and do all of this within 48 hours. This seems like an unlikely sequence of events.”