Apple releases Face ID security guide

Written by

A few bits from Apple’s Face ID Security white paper:

When Face ID detects and matches your face, iPhone X unlocks without asking for the device passcode. Face ID makes using a longer, more complex passcode far more practical because you don’t need to enter it as frequently.

If Face ID was able to eliminate the passcode completely, users could use long, impossible to memorize strings, just as they would with strong passwords combined with a password manager. But the fact that you have to memorize the passcode (you won’t have to use it much, but you’ll still encounter situations where you’ll need it) limits the complexity. Not a complaint, just an observation.

Here’s when a passcode is still required:

  • You can always use your passcode instead of Face ID, and it’s still required under the following circumstances:
  • The device has just been turned on or restarted.
  • The device hasn’t been unlocked for more than 48 hours.
  • The passcode hasn’t been used to unlock the device in the last 156 hours (six and a half days) and Face ID has not unlocked the device in the last 4 hours.
  • The device has received a remote lock command.
  • After five unsuccessful attempts to match a face.
  • After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.

And:

The TrueDepth camera automatically looks for your face when you wake iPhone X by raising it or tapping the screen, as well as when iPhone X attempts to authenticate you to display an incoming notification or when a supported app requests Face ID authentication. When a face is detected, Face ID confirms attention and intent to unlock by detecting that your eyes are open and directed at your device; for accessibility, this is disabled when VoiceOver is activated or can be disabled separately, if required.

This is what’s encrypted and saved in the iPhone X Secure Enclave:

  • The infrared images of your face captured during enrollment.
  • The mathematical representations of your face calculated during enrollment.
  • The mathematical representations of your face calculated during some unlock attempts if Face ID deems them useful to augment future matching.

There’s a lot more in the white paper, including some detail on Apple Pay, and third party access to Face ID.