Since Apple first officially announced Face ID on September 12, security researchers and privacy experts have pressed the company to reveal more details about just how the face-scanning technology works. Well, the tech giant finally obliged — releasing a six-page overview detailing the ins and outs of the system set to replace Touch ID on the forthcoming iPhone X.
The document confirms some of what we already knew, like the fact that data gleaned from face scans is stored locally on the device. It also cops to the reality that the tech-powering Face ID may not be as all-powerful as Apple first suggested.
Take, for example, Apple Senior VP Phil Schiller’s statement that Face ID may not be able to distinguish between twins.
“There’s no perfect system, not even biometric ones,” he noted on September 12 at the Steve Jobs Theater. “If you happen to have an evil twin, you really need to protect your […] sensitive data with a passcode.”
Sounds OK, right? After all, how many of us have evil twins? The newly released Apple document, however, paints things a little differently — saying that siblings might also be able to trick the system into a false positive. Oh, and also, Face ID might not work as well for kids.
“The probability of a false match is different for twins and siblings that look like you as well as among children under the age of 13, because their distinct facial features may not have fully developed,” explains Apple. “If you’re concerned about this, we recommend using a passcode to authenticate.”
This is Apple admitting a simple truth: Existing consumer biometrics aren’t as secure as an alphanumeric password. Face ID, it seems, is no exception.
Apple also opened up about how much access third-party apps will have to the technology. Thankfully for people concerned about advertisers attempting to track facial expressions in real time, the Cupertino-based company says that — for now at least — that’s not something we need to worry about.
“Third-party apps can use system-provided APIs to ask the user to authenticate using Face ID or a passcode, and apps that support Touch ID automatically support Face ID without any changes,” notes the document. “When using Face ID, the app is notified only as to whether the authentication was successful; it can’t access Face ID or the data associated with the enrolled face.”
Interestingly, Apple also details how Face ID will keep up with changes to a user’s face over time. Say, for example, you get a nasty scar on your forehead and the iPhone X doesn’t recognize you. If the scan generates a partial match (although what that means exactly is unclear) and you enter the correct password immediately thereafter, Face ID will use said partial match as a new data point.
“To improve unlock performance and keep pace with the natural changes of your face and look, Face ID augments its stored mathematical representation over time,” explains Apple. “[If] Face ID fails to recognize you, but the match quality is higher than a certain threshold and you immediately follow the failure by entering your passcode, Face ID takes another capture and augments its enrolled Face ID data with the newly calculated mathematical representation.”
All in all, this newly released info makes it clear that Apple takes the security of your biometric data seriously. While we should be thankful of this, it’s really a bare minimum. That the device can be tricked by siblings is sure to raise a few eyebrows, but that was to be expected based on Schiller’s initial comments.
Time will tell whether or not Face ID catches on, and what privacy implications a widespread adoption would have, but those worried about their device security can always make the simple decision to use a password instead. For now, that’s probably the best move.