"The recognition mechanism is not as strict as you think," the Bkav researchers write. "We just need a half face to create the mask. It was even simpler than we ourselves had thought."

Without more details on its process, however, plenty about Bkav's work remains unclear. The company didn't respond to the majority of a long list of questions from WIRED, saying that it plans to reveal more in a press conference later this week.

'I would say if this is all confirmed, it does mean Face ID is less secure than Touch ID.' Marc Rogers, Cloudflare

Most prominent among those questions, points out security researcher Marc Rogers, is how exactly the phone was registered and trained on its owner's real face. Bkav's staff could have potentially "weakened" the phone's digital model by training it on its owner's face while some features were obscured, Rogers suggests, essentially teaching the phone to recognize a face that looked more like their mask, rather than create a mask that truly looks like the owner's face.

"For the moment I can't rule out that these guys might be tricking us a bit," says Rogers, a researcher for security firm Cloudflare, who worked with WIRED on our initial attempts to crack Face ID, and was also one of the first to break Apple's Touch ID fingerprint reader in 2013.

But in response to questions from WIRED, Bkav denied any such trickery. A company spokesperson says that after crafting a mask that was able to fool Face ID---it first made four others that failed---the researchers re-registered their test iPhone X on the face of Bkav's staffer, to make sure that it hadn't biased the phone's model of his face. After that, they never entered a passcode into the phone, and yet the mask alone unlocked it.1

Bkav's history also lends its demonstration some credence. Nearly a decade ago, the company's researchers found that they could break the facial recognition of laptop makers including Lenovo, Toshiba, and Asus, with nothing more than two-dimensional images of a user's face. They presented those widely cited findings at the 2009 Black Hat security conference.

If Bkav's findings do check out, Rogers says that the most unexpected result of the company's research would be that even fixed, printed eyes are able to deceive Face ID. Apple patents had led Rogers to believe that Face ID looked for eye movement, he says. Without it, Face ID would be left vulnerable not only to simpler mask spoofs, but also attacks that could unlock an iPhone X even if the owner is sleeping, restrained, or potentially even dead.

The last of those situations is especially worrying, since it would theoretically be a problem for Face ID that even Touch ID didn't present, given that the latter checks for the conductivity of a living person's finger before unlocking. "That would mean this could be tricked without any liveness test at all," Rogers says. "I would say if this is all confirmed, it does mean Face ID is less secure than Touch ID." It's also unclear if Face ID uses any methods beyond eye movement to indicate that someone is alive. (At least one researcher points out that Touch ID make also work on a corpse: SR Labs' Ben Schlabs sent WIRED a video unlocking an iPhone SE with an altogether non-living foam-backed fake fingerprint.)2

Despite the potential threat of snooping on a sleeping, kidnapped, or dead person’s iPhone X, Rogers considers the notion that someone will make a silicone-and-plastic mask of the average person's face far-fetched. A far more practical concern is someone simply tricking a victim into glancing at their phone.

"This is still not the kind of attack the average person on the street should worry about," Rogers says of Bkav's work. "It’s still probably easier to snatch the phone and just show it to someone to unlock it."

Update 11/27/2017 9:30 am EST: Bkav has now released a second video demonstrating that it can spoof Face ID more convincingly: Using a $200 mask 3-D printed in stone powder and two-dimensional eyes printed with infrared-sensitive ink, the researchers were able to register a subject's face in the phone, and then show the phone a mask that immediately unlocked it, as captured in a single shot below.

1Updated 11/13/2017 9:30 am EST with more information from Bkav.2Updated 11/13/2017 10:55 am EST with a comment from SR Labs on unlocking Touch ID with a non-living finger.