Phil Schiller, Apple's senior vice president of worldwide marketing, discusses features of the new iPhone X at the Steve Jobs Theater on the new Apple campus on Tuesday, Sept. 12, 2017, in Cupertino, Calif. (Photo: AP/Marcio Jose Sanchez)

Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

The price tag on the newly-announced iPhone X may have been the most mentioned aspect of the upcoming $1,000 device throughout the last week of social media buzz, but the feature getting the most attention in cybersecurity circles is Apple’s new Face ID authentication system, which will replace Touch ID. In Apple’s first step into facial recognition for security, the Face ID system utilizes the iPhone X’s front-facing TrueDepth camera system—which includes a flood illuminator, infrared camera and dot projector—and a neural network processed through Apple’s first A11 Bionic neural engine, according to Phil Schiller, Apple’s senior vice president of worldwide marketing, as he announced the feature at the company’s special event on Sept. 12.

“Face ID is the future of how we unlock our smartphones and protect our sensitive information,” Schiller said. “To make Face ID possible it took some of the most advanced technology we have ever created.”

This technology has not yet been released to the public, as the iPhone X won’t be in consumers’ hands until Oct. 27, but this hasn’t stopped many from speculating about whether Face ID is truly advanced enough to protect users’ $1,000 investments—and all their sensitive data—from thieves and hackers.

Will Stop Imposters—But Not ‘Evil Twins’

Schiller assured the audience at the packed Steve Jobs Theater last Tuesday that Face ID would not be easily fooled—he even pulled up a picture of highly detailed and realistic face masks that Apple’s team used to train Face ID’s neural networks to not be tricked by artificial doppelgangers and imposters. And since it’s designed to detect 3-D, attentive faces, Face ID can’t be unlocked by a simple photo, said Schiller, and is even more accurate than Touch ID, which he said has been the “gold standard for consumer device biometrics protection.”

“The data for Touch ID has been 1 in 50,000, meaning that the chance that a random person could use their fingerprint to unlock your iPhone has been about 1 in 50,000,” Schiller said. “So what are the similar statistics for Face ID? 1 in 1,000,000. The chance that a random person in the population could look at your iPhone X and unlock it with their face is about 1 in 1,000,000.”

However, Schiller admitted that those chances increase when the person trying to get into your phone is not a random person, but a genetic relative—and that you may need to keep your phone locked with a passcode if you have an “evil twin.”

Can It Be Spoofed?

While Schiller’s presentation clearly implied that the answer to this question “no,” several commentators on cybersecurity have already begun saying “maybe.” There is precedent for spoofing biometric systems—including facial recognition—and, as well-known professional hacker and head of information security at CloudFlare Mark Rogers tweeted following Apple’s announcement, “At the end of the day, remember anything man makes man can break. The important question is it secure *enough*.”

In April, university researchers challenged fingerprint systems such as Touch ID by developing a so-called “MasterPrint” that would potentially be able to unlock almost any fingerprint-protected smartphone. Another group of university researchers is currently researching the use of three-dimensional fingers made from a material similar to human skin to train fingerprint ID systems to reject spoofs. Rogers said he would similarly be interested in putting Face ID to the test by 3-D printing a model of his head and trying to use it unlock one of these phones, according to Wired Magazine. In 2015, Popular Science writer Dan Moren tricked the facial recognition system of Chinese retailer Alibaba, used to authenticate payment, using only a video of himself—something that could easily be taken from a user’s social media profiles.

In 2016, researchers from the University of North Carolina presented research at the USENIX Security Symposium showing how they successfully fooled four out of five modern face authentication systems using 3-D, animated, virtual reality models created from Facebook photos of participants. I reached out to the authors of that study, who replied it is too soon to know whether this research has any implications for Face ID, as it hasn’t yet been released.

The fact that no one in the public has had access to iPhone X to test it yet, taken with Schiller’s explanation of Face ID’s impressive inability to be tricked by life-like masks, means it is truly yet to be seen whether Face ID will rise above both preceding and suspected security flaws.

A Missed Opportunity?

The iPhone X’s all-screen design, which scraps the Home button and Touch ID along with it, may create a refreshing new look and feel for some Apple users, but one biometrics expert, Chief Identity Officer of BioConnect Bianca Lopes, questions the newest iPhone’s abandonment of a feature that still holds value in its own right when it comes to privacy and security.

Lopes told Forensic Magazine that giving users the choice to use Touch ID, Face ID or both would have been a better option—it would have let users who would prefer to unlock their phones discreetly do so with the simple touch of their finger, and it would have let users who want extra security to double down on their biometric identification.

“I am a fan of choice. As a human I want it all. I want all the ways you can use context to authenticate me,” Lopes expressed. Like police trying to identify a suspect from biometric evidence, the iPhone might have benefited from being able to rule out suspects based on both a face and a fingerprint, not just one or the other.

However, Lopes says the adoption of authentication systems like Face ID opens up another opportunity for biometrics to become more mainstream, and for them—and the relationship between convenience and security—to be further scrutinized and improved.

“This is progress in understanding that convenience has and will continue to trump security and to me make the older models of credentials no longer acceptable,” Lopes said. “We need to educate ourselves, our clients, and build better standards that the universe can adhere to and provide growing input to. It will do a great deal to bring about mainstream adoption of biometrics, which I like. And it has also initiated more conversations about privacy which is a good thing, although there is still a great deal of education that needs to take place about identity and biometrics in the market.”