Apple says it worked with Hollywood make up artists who have helped its engineers design Face ID so that it couldn’t be spoofed by photos or masks, but now a Vietnamese security firm claims to have successfully fooled the system using a facial mask.

According to security firm Bkav, via AppleInsider, the expensive, specially crafted mask that has allegedly managed to bypass the Face ID security system on iPhone X is a combination of a 3D-printed frame with makeup, a silicone nose and 2D images.

“Special processing” has been applied to the cheeks and around the face to make the mask feel more lifelike. Bkav has shared a demonstration video seemingly showing an iPhone X being unlocked by both the mask and the person it’s based on.

Bkav says this proves facial recognition is still “not mature enough” at this point. The company previously bypassed facial recognition systems on some laptops and showed a proof-of-concept demo at the Black Hat security conference.

Bkav will soon publish details about crafting the mask that beats Face ID.

“In practice Bkav-style masks are unlikely to pose a threat, since they would not only be difficult and expensive to make, but require the dimensions of a person’s face and detailed imagery,” notes AppleInsider.

While the hardware certainly has its limitations, it’s important to remember that Face ID relies heavily on machine learning and artificial intelligence to prevent spoofing. Theoretically, Apple could re-train Face ID’s neural network to protect from those kinds of attacks in the future.

Apple’s marketing boss Phil Schiller said during the iPhone X event:

Apple engineering teams have even gone and worked with professional mask makers and makeup artists in Hollywood to protect against these attempts to beat Face ID. These are actual masks used by the engineering team to train the neural network to protect against them in Face ID.

Face ID was previously fooled by identical twins.

What do you make of this?

Are you concerned that a sophisticated face mask can bypass Face ID just like Touch ID can be fooled in some cases using a very high-resolution print of a person’s fingerprint?

Let us know in the comments!

  • zebonaut

    Not surprising. So Apple will simply have to do some additional software updates to protect against this.

  • From the twins video: Apple did say it wasn’t twin safe in the keynote.

    • Jay

      Finger prints are twin proof.

    • John

      Actually, that’s not the wording they used.

      Perhaps you should rewatch the video and try again.

  • Iskren Donev

    I’d say if you have people making masks of your face or molds of your fingerprint, then you have much bigger problems than having someone look at your phone.

    These security features are more of convenience than true security. If you want true security you should use multi-factor authentication and a long, random, alphanumeric passcode.

  • MelMa D Teach

    ? just an emoji

  • David Diaz Escandon

    The weird thing is that Touch ID will not be fooled by twins, more reference points doesn’t mean that you could share your finger prints with some one else, just share some points. Apples probability may be boosted by reference points and not by actual measuring the dissimilarity between methods (50000 vs 1000000). BTW, Face ID hardware is step to the future.

  • Lÿo

    I don’t get it. You set up Face ID to recognize that mask, of course it recognizes it. WTH

    • Miguel Perez

      He then showed it unlocks with his face too…

      • Satyam Panchal

        video editing bro what if before he pick phone he cut video there and put her face in it and then put it back and continue the video and edit it make perfect video..

      • Rowan09

        Exactly. I was watching the video for proof, but I got none because his face and the mask aren’t the same. I need to know more

    • franco4785

      Face ID can only have one face set-up on the phone. So by him showing that he unlocks it with the mask and his own face goes to show you that the mask beats Face ID’s security

      • Rowan09

        Great now all we need is for someone to sit and let someone else make a mask of them to gain access of their phone. That seems really easy to accomplish. Come on we know nothing is 100% and Apple themselves made sure to make it clear.

      • Rowan09

        No because the mask and his face aren’t the same. So is the mask a replica of his face structure since Face ID only allows one face to be registered? I need more than this small video.

  • Rowan09

    Anyone that does this without me being aware to see my pictures and videos, I would just grant you access.

    • Niclas

      Including all passwords, Apple Pay etc.

      • Rowan09

        So someone is going to make a mold of my face while I sit there and wait to access my phone? Wouldn’t it be easier to just hold me up with a gun than go through all that work?

      • Niclas

        X knows that you’re a good target (hypothetically, you’re probably not irl).
        He takes a few pictures of you, grabs a few pics from social media, creates a 3d model and 3d prints it. Remember, still no mold.
        At the right moment your phone is stolen and you won’t notice but 15 min later.
        X steals the prize.

      • Rowan09

        Smh. Where have you seen Face ID faked by a 3D picture? You know they hacked Equifax right so all this work for what now?

      • mickey

        There has been actual face molds made (from 3rd party testers) that haven’t fooled faceid. It sounds like what they are doing here is much more complicated than snapping a few pictures of someone.

  • JulianZH

    What’s next? DNA unlock?

    • Jay

      Yes it will prick your thumb for blood sample every unlock attemp..

  • askep3

    Can’t wait for the idiots saying this is less secure than fingerprints when it’s cheaper and easier and cheaper to make a mold from PICTURES of your fingers

    • Niclas

      A 3d picture is easier to get than a finger mold.

      • askep3

        A high accuracy 3d mold of your face like in this article? Try again

      • Niclas

        No problem. AR is getting popular and with that comes 3d cameras. It’s just a matter of time.

      • Satyam Panchal

        Finger print can easily get from thing you touch and easily make mold but person cant make face mold unless you they dont get your face to make it

  • Rob

    In short, no, not bothered ?? if someone’s gone to that extent to access my phone, in the grand scheme of things, they’re the one with problems

    • websyndicate

      And if have 1Password or a password manager with FaceID enabled they will have access to all your passwords and maybe credit card /debit card info. They will have access to Apple Pay as well. Touch ID still wins IMO. FaceID is a flawed product. Even a twin can’t unlock your touch ID enable phone.

      • Rob

        If I was criminally minded enough & had the resources needed to make one of those masks of your face, and I knew your accounts were important enough for it to be worth it, and I discovered u were using Touch ID, I wouldn’t sigh & go ‘oh well, better leave this guy alone’.
        And if you’re family is so messed up that if u have a twin & you’re worried about their intentions, use a passcode, or the iPhone 8 – made for the smaller percentage of people that the iPhone X isn’t suited for for whatever reason.

      • Niclas

        You can take a 3d picture of someone, make the mold and steal their phone. Game Over.

      • Rob

        That’s be cool to see in a James Bond movie. More interesting than the old cliché way of taking a fingerprint off a glass that they’ve used

      • Rowan09

        That didn’t work and I don’t believe it will work either. So someone is going to let some take the time to make a mold of their face or take a 3D picture of them just to gain access to their cellphone? All our information is on the web anyways, it might be easier to just hack some website with our info like let’s say Equifax.

      • mickey

        Other than identical twins, I’d imagine it is much harder and involved to create a good enough mask to fool Face ID than steal someone’s fingerprint. Both are flawed if high level security is your concern.

  • DsWan3

    The mask is bullshit, you can enroll multiple faces and they convieniently don’t show that only his actual face was enrolled

  • Umut Topuz

    so which one is easy to make? getting your fingerprint or facial measures? That thing is good on every aspect with the design. However the phone has to be tested or had to think on that phone for a year more. There are too much issues users are facing now.

    Green line, touch responsiveness, air bubble on hard press, faceid identification issues, and more…

    • John

      What’s it like walking around wearing a tinfoil hat?

      The number of people reporting green line issues or touch responsiveness compared to the number of devices sold I bet won’t even equal 0.1% of all phones sold and that’s bloody impressive.

  • avatar

    Running with the old news, It’s fake and has been proven as a publicity stunt by Bkav Corp!

    • Niclas

      Nope, not fake.

  • websyndicate

    Touch ID still wins.

    • John

      Urgh. Trolls.

      • Niclas

        Urgh. Idiots.

      • Rowan09

        Do you own an iPhone X? Your making all these claims of some that debunked as false and yet you’re here why?

      • Niclas

        You’re making claims without proof.

      • Rowan09

        You said make a 3D picture and where on the web is this true? I’ve seen people use masks and it didn’t work. This video is proof it’s possible I guess but how can we valid this finding with no background, etc? I can simply edit a video to show my dog unlocking it with Face ID how is this any different? Regardless nothing is unhackable so I’m curious into your implications. The FBI was hacked along with Equifax, so if someone is going through all this work, they can have it because it shows they would possess the skills to do it anyways.

      • Niclas

        “I can simply edit a video to show my dog unlocking it with Face ID how is this any different?”
        Do that and get the press there to watch it too. Lets see if you can fool everyone.

  • John

    If you actual read the Face ID guide, this would actually be easier to fake than we think.

    There’s really nothing here to see, let’s move on before all the paranoid people crawl out from under their rocks and start sprouting bullshit.

  • Niclas

    They shold have used under glass touch id instead…

    • Rowan09

      Why?

      • Niclas

        Faster, safer and better.

  • Sahin

    The video is a bad fake because he didn’t set up Face ID new and then tryed it with the mask. The problem is: If you have set up Face ID and someone else follow these steps: Try to unlock, get no access and type in passcode and you do this maybe 5 – 6 times, Face ID will think this is your changed face (like growing bears or something else).
    That’s the only way to trick Face ID.
    That’s why the mask get access in the video.

    Otherwise there is no way, Face ID is more secure ;).

  • Sahin

    The video is a bad fake because he didn’t set up Face ID new and then tryed it with the mask. The problem is: If you have set up Face ID and someone else follow these steps: Try to unlock, get no access and type in passcode and you do this maybe 5 – 6 times, Face ID will think this is your changed face (like growing bears or something else).
    That’s the only way to trick Face ID.
    That’s why the mask get access in the video.

    Otherwise there is no way, Face ID is more secure ;).

    • Satyam Panchal

      yea that right.

  • Any person or agency willing to go to these lengths to access your phone is more likely to take the XKCD approach: hit you with a $5 wrench until you unlock the phone (or just tell them what they want to know).

  • it’s so hard to do it by a simple user

  • Anupam Padmanabhan

    He might have configured it using the mask.. as well as his face.. if hs done that… he is an idiot.. cos the truth will come out sooner or later..