If their number is correct, there are only about 7,000 lookalikes on the planet ...

infogulch · on Oct 25, 2017

> convincing them to participate in your nefarious scheme seems non-trivial

Actually this would be the easiest part. E.g. A courier knocks a random persons door and says please sign here and shoves a clipboard in their face (that happens to have a faceid-sized hole in the metal frame) then hands them a random package. Done. No convincing needed, worst case they're confused for a day about why they signed for whatever you put in the box and who sent it and then they forget about it altogether.

You're right about the 7000, except it's likely that a large fraction of that 7000 lives geographically close to you as most family does. I agree that this will take more sophistication than what a common criminal could pull off, but this opens up a wide range between that and state intelligence agency that could try compared to TouchId.

I would like to see a security review with more details about how common false positives are given that you only try lookalikes.

mikeash · on Oct 26, 2017

That’s an interesting attack. Seems like you wouldn’t even need a lookalike. Just pull that trick on the victim himself!

infogulch · on Oct 26, 2017

That's a good point and seems obvious in hindsight, I didn't think of that.

johnbellone · on Oct 25, 2017

That 1:1,000,000 is for random people. I am really interested in seeing how well it works for members of the same family (not twins). The statement I read seemed to indicate it was less reliable there.