While Face ID is theoretically 20 times more secure than Touch ID at 1:1,000,000 chance of a false match as opposed to 1:50,000, there are some legal and societal reasons why we still believe it is less secure in certain situations.
Touch ID requires the owner to physically place their finger on a device. Face ID does not.
This may not seem like a huge deal but it has tremendous implications both legal and societal.
We pointed these issues out recently where we said the phone could be used without the permission of the owner in certain situations:
- Law enforcement holds phone up to person’s face to unlock it.
- Person sleeping or partially passed out – another person holds phone up to their face.
If a person is arrested or crossing a border or otherwise comes into contact with law enforcement, the authorities have the ability to take the phone from the owner. With Touch ID, assuming force is not used, the owner of the device would have to physically decide to place their finger on the phone to unlock it.
Face ID however makes this potentially easier for law enforcement. Now, all they have to do is place the phone up to the user’s face.
We reached out to Apple about this matter and they replied with the following statement:
Our teams have been developing the technologies behind Face ID for several years, and our users’ privacy has been a priority since the very beginning.
Face ID provides intuitive and secure authentication enabled by the TrueDepth camera system and the A11 Bionic chip, which uses advanced technologies to accurately map and match the geometry of a user’s face. Face ID data never leaves the device, is encrypted and protected by the Secure Enclave.
We’ve tested Face ID on people from many countries, cultures, races and ethnicities, using over one billion images to train our neural networks and defend against spoofing.
We’re confident that our customers will love using the feature and find it an easy and natural way to unlock their iPhone X. We will offer more details on Face ID as we near the product’s availability.
This statement reinforces how impressed we are with the technology. We think the technical achievement of Face ID is beyond amazing – especially considering this is still a thin and light phone which fits in your pocket.
Apple’s representative also referred us to comments from Apple SVP Craig Federighi. The most pertinent ones are related to the idea of attention. The user must be looking at the phone for it to unlock with a simple swipe up. Apple has also pointed out this happens instantaneously.
Apple also referred us to this video: the Face ID section starts at 1:23:55 (83:55) in the keynote and ends at 1:30:55.
Getting back to our question about law enforcement – it seems safe to say at this point, if you can gain access to a person’s phone and hold it up to their face and get their eyes to make contact with it, you can unlock it. It’s unclear if there is any law against doing so in the US, let alone the rest of the world where they may have less protection and potentially no presumption of innocence.
The second part of our question above has to do with a person being asleep or passed out. Could you wake someone subtly enough for their eyes to open and unlock the device without them being fully aware or conscious? What if they are zoned out? Can someone get them to make eye contact with the iPhone X sensor without them realizing what has happened?
Then there is the scenario in a home where a family member picks up a person’s device and wants access to it. Currently, a finger needs to be willingly given. With Face ID, the family member can just hold the phone up to the owner’s face. The owner would have to physically take the phone back if they didn’t want the other person to access it.
A few other points about Face ID security:
- You can squeeze both sides of your iPhone X – specifically the buttons to temporarily disable Face ID. Basically, beginning the power down process.
- After 2 days of not using Face ID, you need to use a passcode to gain access.
- A passcode is required after five failed attempts – exactly what happened onstage at the Steve Jobs Theater.
- If Face ID hasn’t unlocked the phone in four hours or your passcode hasn’t been used for 6.5 days, you’ll need to enter your passcode.
The best way to think about the change is as follows. Security on the iPhone X has gone from passive via Touch ID to active via Face ID. In other words, with Touch ID, unless the owner is forced to touch the phone, it stays locked.
With Face ID however, users will actively have to actively worry about security. If a person puts the phone up to the owner’s face, they have to close their eyes or look away to keep it secure. This could get interesting if the owner is driving a car or flying a plane.
We think Face ID is a gigantic leap forward in technology but potentially a few steps back in security because of these issues.
In summary, Face ID on the iPhone X is 20 times more secure than Touch ID if friends, family or law enforcement gaining access to the owner’s phone is not a concern or issue. If however there is truly sensitive information on the phone or the user doesn’t think they’ll remember to squeeze its buttons to keep kids, a spouse or law enforcement out of it, they may want to stick with Touch ID.
No doubt we will hear of court cases which try to determine the iPhone X owner’s rights to privacy with regards to law enforcement waving the phone in their face. We have seen them arise regarding Touch ID. Although we aren’t qualified to give legal advice, we believe the courts will condone the waving to unlock by law enforcement and government agencies.
As these situations arise, we’ll be sure to report on them here or point them out in our Twitter feed.