Apple Shares In-Depth Security Info on Face ID in New White Paper and Support Doc

Apple has already shared many details on the upcoming Face ID facial recognition feature in the iPhone X through its software engineering chief Craig Federighi, who did several interviews, but now the company has consolidated that information into a new support document and an in-depth security white paper released this morning. [PDF]

If you've been paying attention to Federighi's interviews and all of the Face ID coverage on sites like MacRumors, you may already be familiar with the content of the support document, but it does a good job addressing all common questions and concerns in a single spot.

It outlines the way Face ID works, the conditions in which it works - in the dark, with sunglasses, with hats, etc., and how it's set up, along with security information, including the conditions that will lead to Face ID being disabled:

- The device has just been turned on or restarted.
- The device hasn't been unlocked for more than 48 hours.
- The passcode hasn't been used to unlock the device in the last six and a half days and Face ID hasn't unlocked the device in the last 4 hours.
- The device has received a remote lock command.
- After five unsuccessful attempts to match a face.
- After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.

Face ID, as Apple has said, adapts to changes in appearance, and the document gives a bit more info on that topic. If there is a major change in appearance, like the disappearance of a full beard or a significant haircut, Apple will require a passcode and then update the stored facial data accordingly once your identity is confirmed.

It also covers privacy, explaining that Face ID is just like Touch ID: protected by the Secure Enclave and handled all on-device, using years of established security protocols. Accessibility and safety are also topics Apple addresses.

In fact, developers do not need to update their Touch ID apps for those apps to work with Face ID because the systems are the same.

The TrueDepth camera system will not cause harm to eyes or skin, says Apple, and if damage is caused to the infrared emitters, the camera will be disabled. Apple warns that repairs will need to be conducted by Apple or an authorized service provider, which should not come as a surprise as the same applies to the Touch ID home button.

The white paper, meanwhile, explains in better detail exactly how the TrueDepth camera and the A11 Bionic processor in the iPhone X work together to accurately identify a face and avoid spoofing.
To counter both digital and physical spoofs, the TrueDepth camera randomizes the sequence of 2D images and depth map captures, and projects a device-specific random pattern. A portion of the A11 Bionic chip's neural engine--protected within the Secure Enclave--transforms this data into a mathematical representation and compares that representation to the enrolled facial data. This enrolled facial data is itself a mathematical representation of your face captured across a variety of poses.
Anyone who plans to buy an iPhone X and has questions about how the Face ID feature on the device works should take a look at both the support document and the white paper, as both together answer many questions on security and functionality.

Face ID will become available to the public starting on November 3, the official launch date for the iPhone X.

Tag: Face ID

Top Rated Comments

(View all)

32 months ago

It also fails if youre Craig during a keynote.

Face ID never failed during the event. It did exactly what it was supposed to do, and revert to a passcode option because others handled the iPhone before Craig did, which locked him out. The only thing that failed was the actual demo to the audience, not Face ID itself.
Rating: 34 Votes
32 months ago

What if someone takes my phone, ask me to look up? Now do I have to quickly cover my face so that my phone doesn't end up unlocked?

What if you're sleeping and they take your iPhone 6, 6s or 7 and unlock it by holding your thumb on Touch ID? What if they have hi res cameras in the room and just watch what password you enter when you start the phone? Or what if they take your phone, point a weapon at you and demand you tell them your password, so you can't trigger the emergency lock or auto 911?

There isn't a security system that can't be defeated by someone, in some way. It may require lots of money, being sneaky, getting the owner drunk or brute force but it can be done.
Rating: 17 Votes
32 months ago

That is all interesting and stuff, but why remove the TouchId option? :(

Why do you need two options? Seems confusing and more expensive for what gain?


Craig Federeghi’s interview with John Gruber. He said Touch ID was plan B and once they got Face ID working they stopped working on Touch ID.
Rating: 11 Votes
32 months ago
It also fails if youre Craig during a keynote.
Rating: 10 Votes
32 months ago

Yeah it did. He looked at it, it failed. He turned the screen off and on again to reset the try and then it failed again and asked for the code as per spec on the second fail.

Wrong. Federighi himself confirmed exactly what happened, which was reiterated during the Keynote.
Rating: 9 Votes
32 months ago

That is all interesting and stuff, but why remove the TouchId option? :(

It's an unnecessary extra cost that also takes valuable space inside the phone.
Rating: 8 Votes
32 months ago
Hopefully this will resolve some of the confusion, and incorrect information being spread about their technology. Listened into a few podcasts and read some articles that appeared to be conflicting / unclear.
Rating: 8 Votes
32 months ago

It sounds like you’ll have to put the password in a lot. I hate doing that.

i'm pretty sure touchID has the same conditions.
Rating: 7 Votes
32 months ago

Wrong. It failed.

It failed. People have dissected the video with a lot of scrutiny, you can see that it tries to read his face twice and fails. Did you really think Apple would come out and admit it?

This is what your original quote quoted:

"It also fails if youre Craig during a keynote."

Which is an accurate in itself, because it didn't fail on Craig, The actual demo did. They're two different things that you and others are conflating. It reverted back to passcode exactly as it intended to, regardless if It didn't go accordingly. But that doesn't mean Face ID failed, wouldn't allow him access because of the prior attempts. That's not a fail, that's called a fail safe.
Rating: 6 Votes
32 months ago
There are a couple of edge cases that aren't addressed here: the first is currently multiple people can register their fingers and unlock the phone but FaceID will it register a single face
The second is connected somewhat and that is if it automatically updates the face details, what happens if someone other than the owner unlocks the phone with a PIN while looking at the phone - will it update to use their face for recognition?

This would potentially be an issue for me as I know my wife's passcode and she knows mine in case we need to access the other's phone (for example, if I'm driving and an important email comes through she will read it to me and reply if necessary)

As I said, they are edge cases but I'd like to know how they would be handled
Rating: 6 Votes

[ Read All Comments ]