How secure is iPhone X’s new Face ID tech?

The new iPhone X can be unlocked with your face. But how secure is the technology?

The chances of someone else unlocking your iPhone are one in a million with Face ID, Apple’s SVP of marketing, Phil Schiller, said at a Tuesday event. With Touch ID there is a one in 50,000 chance it will be opened with the wrong fingerprint. Apple did not disclose where these figures are from.

Here’s how Face ID works: Front-facing cameras and sensors map your face to determine if you are actually the owner of the phone. The tech learns more about your face each time it is used. So for example, it will recognize you even if you grow a beard or put on glasses. It will also work in the dark.

While biometric identification, such as facial recognition and fingerprint sensors, can be more convenient than a passcode, it raises important questions about privacy and security, such as how this data is stored and whether the tech can be tricked.

Apple said facial information is protected by its “secure enclave” to keep data “extremely secure.” The processing is done entirely on the device and not in the cloud in an effort to protect a user’s privacy. Fingerprint information is also encrypted and stored securely. Apple declined to provide further details.

Face ID also requires a person’s attention, so users must have their eyes open and be looking at the device for it to work. This could, for example, prevent someone from opening the device using your face when you’re sleeping.

Apple also says Face ID is designed to prevent spoofing attempts by a photo or a mask. Facial recognition in the past has been tricked with a photo, such as with the Samsung Galaxy Note 8.
While we won’t know if the iPhone X will be fooled until it’s shipped in November, experts believe Face ID will be more difficult to hack than other systems.

“It goes well beyond the Galaxy Note, though it definitely isn’t un-spoofable,” Brian Brackeen CEO of facial recognition company Kairos, told CNN Tech.

Apple’s Schiller joked on stage that user’s should have a passcode if they have an evil twin. But what if you really have an identical twin?
“[Face ID] will probably not be spoofed by a 2D-photo or a mask, but it is more likely to be spoofed by a person who looks similar, like a close family relative or a twin,” Brackeen said.

Schiller noted on stage that Face ID’s accuracy statistics are lower if someone shares a close genetic relationship with you, and Brackeen echoed this sentiment.

However, Frances Zelazny, VP of global cybersecurity startup BioCatch, argues biometrics technology has “gone a long way” in telling the difference between identical twins and she doesn’t see this as a concern.
Face ID is also enabled for Apple Pay, the tech giant’s mobile payments service.

“If Apple’s facial recognition tool proves to be significantly flawed, it could really damage Apple’s hopes for Apple Pay expansion. People simply won’t use a payments tool if they don’t think it is safe,” said Matt Schulz, senior industry analyst at CreditCards.com.

He added this is a “high-risk move” for Apple in wake of Equifax’s recent breach, which exposed the personal information of as many as 143 million Americans, such as Social Security numbers and addresses.

“That debacle has put data security front and center in people’s minds,” Schulz said.
 
- NBC