Face Recognition Systems (FRS) have increasingly integrated into critical applications, including surveillance and user authentication, highlighting their pivotal role in modern security systems. Recent studies have revealed vulnerabilities in FRS to adversarial (e.g., adversarial patch attacks) and backdoor attacks (e.g., training data poisoning), raising significant concerns about their reliability and trustworthiness. Previous studies primarily focus on traditional adversarial or backdoor attacks, overlooking the resource-intensive or privileged-manipulation nature of such threats, thus limiting their practical generalization, stealthiness, universality and robustness. Correspondingly, in this paper, we delve into the inherent vulnerabilities in FRS through user studies and preliminary explorations. By exploiting these vulnerabilities, we identify a novel attack, facial identity backdoor attack dubbed FIBA, which unveils a potentially more devastating threat against FRS:an enrollment-stage backdoor attack. FIBA circumvents the limitations of traditional attacks, enabling broad-scale disruption by allowing any attacker donning a specific trigger to bypass these systems. This implies that after a single, poisoned example is inserted into the database, the corresponding trigger becomes a universal key for any attackers to spoof the FRS. This strategy essentially challenges the conventional attacks by initiating at the enrollment stage, dramatically transforming the threat landscape by poisoning the feature database rather than the training data.

翻译：人脸识别系统（FRS）已日益融入监控、用户认证等关键应用，凸显其在现代安全系统中的核心作用。近年研究揭示了FRS在对抗攻击（如对抗补丁攻击）和后门攻击（如训练数据投毒）中的脆弱性，引发对其可靠性和可信度的重大担忧。以往研究主要聚焦于传统对抗攻击或后门攻击，忽视了此类威胁对资源高消耗或特权操纵的特点，从而限制了其实际泛化性、隐蔽性、普适性和鲁棒性。相应地，本文通过用户研究和初步探索，深入剖析了FRS的内在脆弱性。利用这些脆弱性，我们识别出一种新型攻击——名为FIBA的人脸身份后门攻击，揭示了针对FRS的潜在更具破坏性的威胁：一种注册阶段的后门攻击。FIBA规避了传统攻击的局限性，通过允许任何佩戴特定触发器的攻击者绕过这些系统，实现大规模破坏。这意味着，一旦将单个投毒样本插入数据库，对应的触发器就成为任何攻击者欺骗FRS的万能钥匙。该策略通过从注册阶段发起攻击，彻底挑战了传统攻击方式，通过对特征数据库而非训练数据进行投毒，从根本上改变了威胁格局。