A week ago, Apple debuted iPhone X and Face ID, a new biometric security mechanism that replaces Touch ID.
Face ID allows users to unlock their iPhone with their face. The same mechanism can also be used to make purchases in various Apple digital media stores, and to authenticate payments via Apple Pay.
The mechanism works by projecting over 30,000 infrared dots onto a face and creating a 3D mesh of it, then comparing it to the stored facial recognition information.
Security and privacy concerns addressed
The facial recognition information is stored on the device, in a Secure Enclave on the Apple A11 Bionic chip – it is never stored in the cloud, shared with third-parties, or sent to Apple, meaning that Apple can’t hand over such information to law enforcement or anyone else.
And, as Craig Federighi, SVP of Software Engineering at Apple, confirmed for Tech Crunch, the information is stored as a mathematical model that cannot be reverse-engineered, i.e. the information can’t be used to created a model of the face.
Apple is confident that the mechanism can’t be fooled by photos or masks. I have no doubt that many hackers will try to prove them wrong once they get their hands on a newly minted iPhone X, but it remains to be seen whether they’ll succeed.
How to disable Face ID
Apple has implemented easy methods for thwarting Face ID if the user is ever in a position of being forced to unlock the device without actually wanting to:
- They can either simultaneously press the side buttons (volume+power) on either side of the device and hold them a little while. This will take them to the power down screen but it will also disable Face ID)
- Refuse to stare directly at the iPhone. Face ID won’t work if the user doesn’t stare at the device, (unless the “attention detection” feature has been turned off – the option is provided to help people who are blind or vision impaired).
The fact that a user has to look at the phone for Face ID to work also means that people close to the user can’t unlock the device by putting it in front of the user’s face while he or she is sleeping.
As Touch ID before it, Face ID will default back to passcode if there have been five failed attempts to Face ID, or if the device has been rebooted. The device will also ask for a passcode if the user hasn’t used Face ID in 48 hours.
For the moment, there is no option for using both Face ID and passcode to double down on security.
So, if you’re less worried about security, Face ID is the more convenient choice. If the opposite is true, use passcodes. And if you’re not sure which option is the best, this post by security researcher Troy Hunt can help you decide.