Apple + Security & Privacy

Apple Security: Touch ID vs. Face ID

Posted on December 20th, 2017 by

Apple Security: Touch ID vs. Face ID

Are you among the millions who have already purchased the new iPhone X? If so, you are probably getting acquainted with Face ID! But if you're not sure whether to make the jump to iPhone X or unfamiliar with its new features, you might be wondering: what exactly is Face ID? Is it secure? And is it a worthy Touch ID replacement? Let's find out.

What is Face ID

Face ID replaces the Touch ID fingerprint sensor on the iPhone X.

Rather than using your fingerprint to unlock the phone, your face is used instead. This is done by projecting over 30,000 invisible dots on your face that allows the phone to create a very detailed facial map. A flood illuminator projects infrared light onto your face to help the camera see better in low light conditions, and the camera then reads the dot pattern, captures an infrared photo and merges the collected data to see if your face is the face that is allowed to unlock the phone. This whole system is called the TrueDepth camera. The data crunching is done in the A11 Bionic chip that powers the iPhone X, which also houses the Secure Enclave that has your face ID data stored.

How secure is Face ID?

Apple took several precautions in developing this system to make sure it is secure and accurate. Apple has stated the following:

  • High end masks can't fool it
  • Printed photos of a face can't fool it
  • Videos of a face can't fool it

Right now it appears only identical twins have something to worry about.

If you don't have an identical twin, the risk of a random face unlocking your phone is 1 in 1,000,000 according to Apple.

How does Face ID stack up against Touch ID?

Setting up Face ID is just as easy as setting up Touch ID. Instead of pressing your finger on a sensor several times, you simply move your face around until it has been properly mapped.

Apple said that the chances of a random finger unlocking your phone is 1 in 50,000. Going off of that number alone, Face ID is 20x more secure than Touch ID.

According to Apple, Face ID will recognize you even if you grow a beard, wear glasses or a hat after Face ID is set up. Compare that to Touch ID, which often refuses to work if your finger is wet (rain or workout) or has a cut on it. This makes Face ID much more accurate and reliable in specific scenarios. Fortunately, for both Face ID and Touch ID, if the biometrics ever fail you can still get in with your device passcode.

I don't recall ever meeting anyone who was concerned that a stranger could unlock their phone with Touch ID and I still don't believe this will be a problem going forward. Where Touch ID falters is on the multitude of successful attempts to bypass it. One attempt was successful merely two days after Touch ID was made available, and another attempt used play-doh to get the job done. With Face ID, while a team of hackers have claimed to successfully hack it with a 3D printed mask, no easy exploits are known as of right now.

While a court can compel someone to unlock their device with biometrics, like Touch ID and Face ID, one can refuse (and go to jail for contempt of court). What about other unpleasant scenarios, for example, if someone gets mugged? Face ID should do better than Touch ID. Whereas a mugger can use your fingerprint even if you're immobilized, Face ID requires you to be awake and looking at the camera. If your eyes are closed, it won't unlock. Hopefully you never have to find out how Face ID performs in such a situation, but on paper it is more secure than Touch ID.

As the iPhone X is used by more and more people, no doubt we'll see more of them test and try to trick Face ID. We won't really know how good Face ID holds up to the brutal beatings some security researchers will give it over the next few months, but it is something to keep an eye on.

Security in layers

You've heard it many times before, "the best security comes in layers." This not only applies to your Mac but also your iOS device. Before either Face ID or Touch ID can be used, a passcode has to be set up on your device. It is highly recommended that you make this passcode a 6-digit or multi-character alphanumeric one instead of a 4-digit one. Setting up your device to erase all data after 10 wrong attempts is also a great way to secure your data, as well as having a frequently updated backup to iCloud, your Mac or both.

Another great new feature of iOS 11 is Emergency SOS, which allows you to quickly disable biometric security and default back to your passcode, among other functions. To read more about Emergency SOS and other ways to secure your iOS 11 device, have a look at iOS 11: A Complete Guide to iOS Security and Privacy.

So far we can say, Face ID is certainly not a step back in security. It is as secure, if not more, than Touch ID. I would use both with confidence.

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →
  • ruralbob

    Face ID is amazing. I like it much, much more than Touch ID. And it works much better than Touch ID for me.

  • https://islandinthenet.com Khürt L. Williams

    Whereas a mugger can use your fingerprint even if you’re immobilized, Face ID requires you to be awake and looking at the camera. If your eyes are closed, it won’t unlock. Hopefully you never have to find out how Face ID performs in such a situation, but on paper it is more secure than Touch ID.

    Whatever: https://xkcd.com/538/

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}