Apple has issued a report on the security of its new facial recognition tech that will be part of the upcoming iPhone X.
The iPhone X is currently Apple's only device using Face ID, but the authentication tool has already raised concerns on multiple fronts. So Apple published a white paper on Wednesday answering questions on Face ID's security, like how much of your face's image it actually stores, how long it saves it for, what apps can use Face ID, and a few other ones.
In short, with a glance, Face ID unlocks iPhone X. It provides secure authentication enabled by the TrueDepth camera system, which
uses technologies to accurately map the geometry of your face.
Face ID confirms attention by detecting the direction of your gaze, then uses neural networks for matching and anti-spoofing so you can unlock your phone with a glance. Face ID automatically adapts to changes in your appearance, and safeguards the privacy and security of your biometric data.
To use Face ID, you must set up iPhone X so that a passcode is required to unlock it. When Face ID detects and matches your face, iPhone X unlocks without asking for the device passcode. Face ID makes using a longer, more complex passcode far more practical because you don't need to enter it as frequently.
You can always use your passcode instead of Face ID, and it's still required under the following circumstances:
- The device has just been turned on or restarted.
- The device hasn't been unlocked for more than 48 hours.
- The passcode hasn't been used to unlock the device in the last 156 hours (six and a half days) and Face ID has not unlocked the device in the last 4 hours.
- The device has received a remote lock command.
- itiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.
Apple says that the probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID). For additional protection, Face ID allows only five unsuccessful match attempts before a passcode is required to obtain access to
Apple says that not much faces data will be stored through Face ID. Face ID doesn't capture your entire image. It takes on the infrared images, which is represented by 30,000 dots, and creates an map of what your face would look like. It also keeps the "mathematical representation" of your face, rather than the image itself.
The background of your unlocking selfie also isn't stored. The enrollment image -- the first picture you take so Face ID can recognize you -- is cropped to your face only. Every time you unlock your phone using Face ID, the images are "immediately discarded once the mathematical representation is calculated" and compared to the enrolled data.
The face-related data is stored on the device's Secure Enclave chip, and only available there. It's encrypted, and the data "never leaves the device," according to Apple. Even Apple doesn't receive the data, and it's not stored when your phone backs up, either.
"Face ID data doesn't leave your device, and is never backed up to iCloud or anywhere else," Apple says.
The only time your Face ID data would be sent anywhere is if you agree to transfer it for AppleCare, and that would only be diagnostics data. People will be allowed to review and approve what data gets sent, including your face's image. It automatically is deleted after 90 days.
Hoever, third-party will be able to use Face ID for authentication. Any apps that you've used that allow for Touch ID to do that will automatically be able to support Face ID without any changes, Apple said.
But that doesn't mean that they are getting your face's data. Face ID only tells the third-party apps whether or not the authentication went through -- it doesn't send your face's data with it.