ras-slava - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Apple claims iPhone X Face ID has better security than Touch ID

Apple announced the new iPhone X Face ID system, which replaces Touch ID in favor of facial recognition and may offer 20 times fewer false positives than fingerprint scanning.

With the announcement of the premium Apple iPhone X, the company left behind what it called the "gold standard" of smartphone security in Touch ID to focus on facial recognition with Face ID.

During the iPhone event in Cupertino, Calif., Phil Schiller, senior vice president of worldwide marketing for Apple, said the iPhone X Face ID system was built on a new system called TrueDepth. This system combines a traditional camera, an infrared camera, a depth sensor and a dot projector -- which projects 30,000 infrared dots onto the user's face -- to create a "mathematical model of your face."

This model is then run through the Neural Engine -- a part of the new A11 Bionic system on a chip -- to compare the new scan against past models. The system will be able to learn over time to adapt as a person's appearance changes with new hairstyles, facial hair, glasses and so on. All Face ID data will be stored in the Secure Enclave on the user's device and not transmitted to the cloud.

TrueDepth sensors

According to Schiller, the chance of a random person being able to unlock another device with the Touch ID fingerprint scanner was one in 50,000, but the iPhone Face ID should have a one in 1,000,000 chance of a false positive -- a twentyfold improvement. Schiller did note this likelihood would be higher if people share DNA, but claimed it should be able to tell the difference between a user and "an evil twin."

The iPhone Face ID security system was tested against realistic masks designed by Hollywood special effects teams, Schiller said, and it was not fooled. Additionally, iPhone Face ID unlock requires the user's attention and will not work if the user is looking away or has his or her eyes closed. The Face ID security feature will be available exclusively on the iPhone X premium model and not for the forthcoming iPhone 8.

Apple's senior vice president of worldwide marketing, Phil Schiller, speaks during an Apple special event at the Steve Jobs Theatre on the Apple Park campus on Sept. 12, 2017, in Cupertino, Calif. Apple held its first special event at the new Apple Park campus where they announced the new iPhone 8, iPhone X and the Apple Watch Series 3.
Apple held its first special event at the new Apple Park campus where they announced the new iPhone 8, iPhone X and the Apple Watch Series 3.

Experts react to iPhone Face ID security claims

Jackson Shaw, senior director of product management at One Identity, said the improvement in false positives is impressive.

"I am willing to bet Apple has spent a considerable amount of time considering how best to implement Face ID and Touch ID and the tradeoffs between them," Shaw told SearchSecurity. "No system can be foolproof or perfectly secure. Fingerprint biometrics suffered from the 'gummy bear' spoof for many years. What matters is how you stack or layer authentication methods. For example, a PIN code or password to unlock a phone plus a facial biometric would probably near being foolproof."

Veronica Valeros, researcher for the cognitive threat analytics team at Cisco, thought iPhone Face ID security could be a game changer.

Richard Goldberg, principal and litigator at the law firm Goldberg & Clements in Washington, D.C., said legal cases "that permit an order to unlock an encrypted phone using a person's fingerprint would appear to permit an order to unlock an encrypted phone using a person's face."

"However, it is worth remembering that some courts continue to strenuously object to orders demanding a fingerprint to decrypt a device, because the act of production is testimonial and, therefore, cannot be compelled. Federal courts in the 7th and 11th Circuits have held that the act of production using a fingerprint is protected by the Fifth Amendment. So, the uncertainty remains," Goldberg told SearchSecurity. "The new emergency feature in iOS 11 that will disable biometric unlocking appears to solve some but not all of the security concerns. So, the best option remains simply shutting off the phone, which prevents access without the passcode."

Next Steps

Learn how attackers bypassed facial recognition systems.

Find out why authorities can't force smartphone access on iOS 11. 

Get info on the privacy concerns surrounding the FBI's facial recognition system.

Dig Deeper on Biometric technology

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think about Face ID on the iPhone X? How will it change security for your organization?
I think that Apple has outwitted themselves. First, the 1 in 50,000 false match likelihood for TouchID was more than adequate, since possessing the phone was an implied second factor. The likelihood that an attacker would obtain your phone and happen to match was effectively zero. Turning the accuracy up to 1 in 1M makes the statistical zero even smaller, but who cares? More significantly, Apple has ivory towered themselves into the perfect solution for center-use cases, but have completely ignored the edge cases for phone unlock - surreptitious unlock: - at dinner with your wife, phone in your pocket, under the table - in a meeting, where you want to peek at your phone under your desk. - driving down the road, needing to unlock and place a call. Are you going to hold your phone up in your field of view for it to unlock? - and most pressingly, under your covers in bed. Maybe Apple wants to stop people from checking email while their spouse sleeps, but the requirement to get the phone out and able to see my face while my wife sleeps is putting my life at risk. Additionally, locking might be inadvertent, just because I am in view. I personally like the fact that my phone requires me to affirmatively touch the TouchID when I want to unlock.
Well in that case with it being removed from newest iPhones you better stick with your older iPhone model then! 

But.... that's not the biggest problem for Touch ID anyway. It's the Spoofability of all fingerprint sensors and the fact it being on phones hasn't deterred thieves from stealing them. Knowing they can usually pick up a fingerprint off the phone itself to spoof it with!!! ;-P   Sorry but it's the Spoofing that's is why this like TouchID will eventually if not sooner.... FAIL!!!

btw in the meantime, hackers, crackers and others are probably already working on a Spoof of Facial Detection as we speak here. It may not be just a pic on the screen of another device, but it could be a video or whatever they're using to authenticate 'Real Live' person's face!  .....including temperature, conductance, features, wrinkles, etc!  .....just wait for it, it's bound to be coming soon! Sorry!!!  ....unlike IoM Iris sensors on Samsung Phones still giving the ultimate in security! ;-P
Let's see how many days or hours it takes to crack it? Whereas Samsung's Stanford U's SRI Labs IoM or Iris on Move technology is still unbroken and will remain so for the foreseeable future! 

Sorry Apple..... but we still remember all the times you've claimed the best security, when like Touch ID you claimed it to be unbreakable and two days later it was CRACKED... SPOOFED..... TO DEATH!!! ;-P 
sounds great. So I have to take off my sunglasses outside to unlock my phone. or my hat? or in the winter I will have to remove my scarf? I think you would be a moron to think this is a good idea.