Apple just dropped a detailed, six-page white paper entitled “Face ID Security” ahead of the iPhone X launch in November. In the security document, Apple explains how facial recognition with Face ID on iOS will work, how safe it is as biometric security, and what issues it may have for users.
The security paper opens with an overview of how Face ID works on the iPhone X:
Face ID confirms attention by detecting the direction of your gaze, then uses neural networks for matching and anti-spoofing so you can unlock your phone with a glance. Face ID automatically adapts to changes in your appearance, and carefully safeguards the privacy and security of your biometric data.
When using Face ID, Apple says your passcode (which is required as a fallback) is still used in these cases:
- The device has just been turned on or restarted.
- The device hasn’t been unlocked for more than 48 hours.
- The passcode hasn’t been used to unlock the device in the last 156 hours (six and a half days) and Face ID has not unlocked the device in the last 4 hours.
- The device has received a remote lock command.
- After five unsuccessful attempts to match a face.
- After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.
Apple says Face ID will kick back to the passcode after five failed attempts (like the iPhone X demo) just like Touch ID and fingerprint recognition. The white paper echoes Apple’s claim about Face ID security compared to Touch ID, and includes an interesting tidbit about kids using the iPhone X unlock feature:
The probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID). […] The probability of a false match is different for twins and siblings that look like you as well as among children under the age of 13, because their distinct facial features may not have fully developed.
In those cases, Apple recommends relying solely on the passcode option and not Face ID which is a step backwards from Touch ID.
When using Face ID with Apple Pay, the iPhone X will work like the Apple Watch by requiring you to confirm intent by first clicking the side button twice which is a new requirement for the iPhone.
Apple also notes that Face ID can be used for diagnostics, but only at your request:
Face ID data doesn’t leave your device, and is never backed up to iCloud or anywhere else. Only in the case that you wish to provide Face ID diagnostic data to AppleCare for support will this information be transferred from your device. […]
As part of setting up Face ID Diagnostics, your existing Face ID enrollment will be deleted and you’ll be asked to re-enroll in Face ID. Your iPhone X will begin recording Face ID images captured during authentication attempts for the next 7 days; iPhone X will automatically stop saving images thereafter. Face ID Diagnostics doesn’t automatically send data to Apple.
You can read the full white paper here. Apple has also refreshed its privacy website for customers with a new look and updated information. Apple has also discussed Face ID and privacy in interviews following the iPhone event.
The all-new iPhone X will be available for pre-order on October 27 and ships from $999 on November 3.