With Face ID making its debut on the iPhone X this November, many are questioning the security layered into Apple’s newest unlocking system. Thanks to a newly published white paper from Apple, now we know.
In overview, Face ID works just like Touch ID, only it scans your face rather than your finger. The iPhone achieves this by projecting a map of 30,000 invisible dots that digitally scans your face. In dark settings, a dedicated ‘flood illuminator’ provides a bit of infrared lighting so the dot projector can get an accurate reading. A device-specific pattern is also projected as a sort of two-factor authentication method, a bit like pairing a new Apple Watch (more on this below).
Between the dot array and 2D infrared image, the iPhone X creates a sort of bespoke identifier for you. From the white paper:
This data is used to create a sequence of 2D images and depth maps, which are digitally signed and sent to the Secure Enclave. To counter both digital and physical spoofs, the TrueDepth camera randomizes the sequence of 2D images and depth map captures, and projects a device-specific random pattern. A portion of the A11 Bionic chip’s neural engine—protected within the Secure Enclave—transforms this data into a mathematical representation and compares that representation to the enrolled facial data. This enrolled facial data is itself a mathematical representation of your face captured across a variety of poses.
All data is stored natively (i.e., on the iPhone), and the new neural engine learns your facial features (and updates over time). It also locks the phone via passcode after five failed attempts to unlock using Face ID, or if you’ve gone too long not using the device. Again, all very much like Touch ID.
Apple’s main differentiator is that the chances of Face ID being spoofed are 1,000,000:1, while Touch ID is 50,000:1. Save for a twin trying to open your phone, Face ID is about as secure a mobile security system as there is. Apple says it tested Face ID with about one billion images of people from around the world.
In other words, there aren’t any major security downsides to Face ID. It performs like Touch ID, albeit scanning your face instead of your finger. Developers also don’t need to do anything specific to utilize Face ID in their apps. “Apps that support Touch ID automatically support Face ID without any changes,” writes Apple. As with Touch ID, apps aren’t able to tap into the underpinnings of the feature to modify or use a bespoke instance, and they can’t see data associated with an enrolled face; it’s all for authentication.
We’ll hold out final judgement for real-world testing, of course, but it seems Apple has done its diligence in making the transition from fingers to faces.