Josh Edelson / AFP / Getty Images
Of the smorgasbord of features stuffed into Apple’s new thousand-dollar iPhone X, one of the most intriguing is Face ID — a new feature that lets you unlock your iPhone with your gaze after the system has learned what you look like, using Apple’s first-ever neural engine. “In the iPhone X, your phone is locked — until you look at it, and it recognizes you,” Phil Schiller, Apple’s senior vice president of worldwide marketing, said onstage at today’s iPhone event. “Nothing has ever been simpler, more natural, and effortless.”
Here’s how it works: Apple deploys various sensors working in tandem to recognize your face in an instant, using what it calls the TrueDepth camera system. First, a dot projector beams more than 30,000 invisible dots onto your face to build a face map, while a “flood illuminator” helps confirm your face with what little light is available, even in the dark. Then an infrared camera reads the dot pattern and sends this information over to the secure A11 Bionic chip embedded in the iPhone X to process and confirm that your face is a match. The whole system works only when you look directly at the camera without closing your eyes or angling your face away. With Face ID, Apple says, your face becomes your secure password.
Apple claims Face ID is more secure than the previously used Touch ID in old iPhones (which Schiller said had become, before today, the “gold standard in consumer device biometric protection”), and even said there is only a one-in-a-million chance for a nefarious actor to fool the Face ID system and break into your phone. Face ID learns your face and adapts to you even if you wear glasses or grow a beard, the company says. And it isn’t tricked by photographs.
But how secure is Face ID? Security professionals and AI experts say it’s hard to know this early on. Still, that “one in a million” statistic Apple brags about? “It’s meaningless,” Matthew Green, a John Hopkins University cryptographer, told BuzzFeed News. “The threat with Face ID is that someone with a picture of your face might be able to fool the camera. We leave pictures everywhere.”
The threat of this happening is very real, as reports recently circulated that mere photographs could fool the facial recognition security feature in another new top-shelf phone, the Samsung Galaxy Note 8. Apple seems to be positioning itself as more secure, given the additional “depth-sensing” capabilities it says live inside the new iPhone X (which confirms that your face is indeed three-dimensional, and not a flat photograph). But without any independent testing of the iPhone X conducted as of yet, it’s impossible to know this for sure.
Meanwhile, Bruce Schneier, an internet security expert and chief technology officer at IBM Resilient, said Apple’s “one in a million” failure claim may well hold up — but that it doesn’t matter if even one person in a million is still able to break into your phone. “That’s why [security] professionals don’t unlock phones that way,” Schneier wrote to BuzzFeed News in an email.
‘Better than a security guard sitting at a desk’
The problem, according to Chris Nicholson, the CEO and founder of a deep-learning startup called Skymind, is that it isn’t immediately clear whether Face ID is more secure than the Apple’s biometric Touch ID. But that doesn’t mean it’s useless. “It does introduce another factor” when you talk about the two-factor authentication of accounts and devices, Nicholson said. Even if a bad actor managed to fake one of your identifying “factors,” or passwords, it’s less likely that actor could fake multiple ones.
As Nicholson explained, AI is getting very good at recognizing faces nowadays — and it’s entirely believable Apple is deploying state-of-the-art technology in its devices. “Facial AI and deep learning is at the heart of computer vision, and AI can recognize people better than even people can,” Nicholson said. “In a sense, it’s even better than having a security guard sitting at a desk.”
But as others point out, Face ID will never be totally secure. What if a cop stops you and points the phone at your face, one Twitter user asked, while they have you in handcuffs — then he or she proceeds to look at your phone without a warrant?
This doesn’t exactly tread new territory, security analyst Will Strafach, said. “If someone were willing to violate the law and threatened you not to look down or close your eyes, then at that point the same could occur as with Touch ID — your finger could be pressed onto the sensor,” he told BuzzFeed News. “If it’s true that Face ID has a much lower false positive rate than Touch ID, Apple could update its security white paper and independent researchers would be able to confirm this.”
The Privacy Tradeoff
Bolstering that idea of security is the additional detail that Apple says authentication happens instantly on your phone using its new A11 Bionic chip, and that your information (i.e., your face) is never sent to the cloud. In fact, Apple has a long history of aggressively positioning itself as a company that is more privacy- and security-minded than its competitors — and that it is less interested in collecting user data, because it sells devices, not advertising. (As it turns out, this is also great PR for Apple.)
“This reflects Apple’s commitment to privacy, and I respect that,” Nicholson told BuzzFeed News. At the same time, he warned that this hampers Apple from building more powerful AI: “Apple isn’t allowing the data from all the users of its phone to go to a central AI brain and make the AI smarter. That makes everyone feel nice and safe, but it means Apple’s AI isn’t learning as fast as, say, Google” — which puts Apple at a disadvantage as the AI race heats up among tech giants.
Still, whether or not Face ID does have improved security, it doesn’t guard against one-off flukes of the feature failing onstage, as happened during the event on Tuesday. Apple has until Oct. 27, when the iPhone X preorders begin, to address the issue.