Associated Incidents
Face ID, Apple's facial identity sensor for iPhone X, is new and that's both scary and ripe for exploitation. We saw it happen with Touch ID, from all the concern that manifested when Apple announced it alongside iPhone 5s to the sensationalized headlines and the attempts to spoof it after it launched. Now, we're seeing the same thing with Face ID — fear, uncertainty, and doubt spread before it was even released and spoof attempts are following in a post-video-first, think-through-the-logic-flow second frenzy. It's a shame. Face ID is incredibly enabling and accessible technology that can all but eliminate active authentication for users and allow them to unlock and use their iPhones more simply and easily than ever before. But those same people, the ones who could benefit the most, are being assaulted by an endless stream of headlines that are, bluntly, worse attacks than many of the so-called exploits they claim to be reporting. I know this because every time one of those headlines goes live, I get calls and messages from my family members who are suddenly panicked by them. And they don't deserve that. Nobody does. Face ID facts Before Face ID was released alongside iPhone X, Apple published a white paper covering its implementation and current limitations. The company followed up with a support article. I summed them all up, and some logical extensions, in my iPhone X review:
Face ID, as currently implemented, does not work in landscape orientation. (The camera system is optimized for portrait.)
Face ID needs to be able to see your eyes, nose, and mouth to be able to function. If too much of that area is blocked by IR filters (like some sunglasses) or other objects (like masks), there's not enough of your face to ID. (This is like the gloved finger with Touch ID.)
Direct sunlight on the Face ID camera can blind it, just like any camera. If you're standing with the sun directly over your shoulder, turn a bit before using Face ID. (This is like the moist finger with Touch ID.)
If you're under the age of 13, your facial features may not yet be distinct enough for Face ID to function properly and you'll have to revert to passcode.
Face ID can't effectively distinguish between identical twins (or triplets, etc.) If you have an identical sibling or even similar looking family member, and you want to keep them out of your iPhone X, you'll have to revert to passcode.
If you give someone else your passcode, they can either delete and re-setup themselves on Face ID or, if they look similar to you, enter the passcode repeatedly at failure to retrain Face ID to recognize their features as well/instead.
Unlike Touch ID, which allows for the registration of up to 5 fingers, Face ID currently only allows for one face. That means no sharing easy access with family members, friends, or colleagues.
If, for any reason, you don't like the idea of your face being scanned, you'll have to revert to passcode or stick with a Touch ID device.
There doesn't seem to be anything shown off in video or breathless headline since that doesn't fall under any of these limitations. Hack vs. spoof One of the most egregious errors in reporting that's gone on around Face ID also echoes those we saw years ago with Touch ID: The conflation of hacking with spoofing.
When people hear or read the word "hack", it's easy to imagine someone got into the system. In this case, the secure enclave on Apple's A11 Bionic chipset that houses the neural networks for Face ID and its data. That absolutely has not happened. For both Face ID and Touch ID, the secure enclave remains inviolate. (That's very different from early HTC and Samsung implementations, which stored fingerprint data in world-readable directories...) What we have seen is people try to spoof it or fool it into thinking its capturing legitimate biometric data. We saw this with Touch ID as well. We saw fingerprints being lifted and reproduced for the express purpose of fooling the sensor system. Even before biometrics, we saw this with traditional keys. People would scan and reproduce keys to get into door locks. It's exactly the type of attack you try against physical security systems. Now we're seeing the same thing with family members, masks, and. Face ID. Family Face ID feuds Earlier this month, we saw two brothers post a video claiming one could unlock the Face ID system of the other. I covered it at the time:
One of the videos that got a lot of attention this weekend was made by two brothers, both of whom were eventually able to get Face ID to unlock the same iPhone X. It was revealed in a follow-up video that the first brother set up Face ID, then the second brother then tried to use it and was properly locked out. Then the second brother entered the iPhone X passcode to unlock. If someone else, including your sibling, has your iPhone X passcode, Face ID doesn't even exist. You've given them much higher access than even Face ID allows — including the ability to reset Face ID and other da