105 comments

[ 3.1 ms ] story [ 170 ms ] thread
this appears to be a trick of sorts. according to a comment by one of the brothers, faceid only acknowledged the new user after the phone had been unlocked via PIN while looking at it. that sounds a bit like an intentional feature for training the facial recognition?
Yup pretty much, the phone seems to learn appearance changes when the PIN is used to unlock.

They also look quite similar except for 1-2 moles and the different hairstyles. But they have really similar head shapes and facial structures, wearing the same brand of glasses certainly ain't helping either.

For those who don't want to wade through the comments:

> We wanted to give an update on this, since we have had some time to play around with the phone a bit. And this is whats happening. I did not realize what exact steps we had followed until it happened again today. We have been resetting face id and doing it all over again. And this is what the steps are that makes it happen almost 50% of the time. Not sure if its intended or is a bug. 1. My brother(left) setup the face id. 2. Unlocks with his face. Does not with mine. 3. I entered the pin with the phone facing me. It it unlocked as expected. 4. Now I locked it again. 5. I raised it up to my face, and it unlocks. 6. It unlocks each time after that with my face

This is super important info that they've left out of the video. A face similar to the face on file that has the PIN should be considered a face capable of unlocking, I think. Everyone's face changes over time.
At the same time, the system needs to be judged as to if it's secure or not, not if it's the best possible implementation of FaceID or not. After all, something like a fingerprint reader on the back is a valid alternative.

At the end of the day, a system where it's likely you'll find someone who can unlock it isn't very secure.

It didn't just unlock based on a similar face. It unlocked for someone who had a similar face and knew the correct PIN. FaceID learns about changes in your looks based partially on those criteria. If the other person knows your PIN, you've already loss.
What happens when an untrusted person that uses your PIN on a regular basis for legitimate reasons becomes untrusted? Now you need to reset your PIN and retrain FaceID? I hope IOS gives a warning when changing the PIN that if you think FaceID has been compromised to retrain FaceID. edit: because the idea that FaceID could be compromised like this is non-obvious
Sounds like it will only happen if the faces are similar. So if the threshold for matching is 95% match to the internal model, but the faces are 90% similar, and then the new face enters the correct PIN, then the new face will be used to tweak the model, which will move the error to inbetween the features of both. So if their faces are similar to within twice the margin-of-error of the detection algorithm, then you can probably get this effect.

All that said "an untrusted person that uses your PIN" knows your PIN... so they are a trusted person as far as the OS is concerned. There's nothing you can do with FaceID/TouchID that you can't do with the PIN. All FaceID/TouchID do is decrypt the PIN from the secure enclave. So if you've shared your PIN with them, then this is a weird thing, but not actually a security violation.

The difference is that it's easy to change a PIN, but hard to retrain FaceID. So sharing a PIN is reasonable in the knowledge that it can be changed, but you might not be aware that it has more ramifications under opaque and unclear circumstances.
Retraining FaceID takes about 20 seconds. How is that hard?
The hardest part might be noticing in the first place that your FaceID model has drifted away from only your face.
I assume changing the PIN forces a FaceID reset?
That's the thing, though... it would only drift from your face if the face it was drifting too looked similarly enough to your own.
It’s also similar to fingerprint behavior — you could add multiple people’s prints to your phone.
Facebook says one in a million people will match (vs one in 50k for fingerprints). I'd guess that close family generally have a better shot of being that face match compared to a complete stranger (unlike fingerprints which don't seem to have familial features).
(comment deleted)
That’s the issue I’ve had with Apple’s claims about FaceID being X times more secure than TouchID.

Your facial features are very likely to be similar to people who live around you. I don’t believe this is true of fingerprints.

So it seems it’s far more likely that the 1 in million chance of an overlap will be around your phone than the 1 in 50000 chance in case of TouchID.

It's also far more likely that those people do not pose a genuine malicious threat to your data and security
I think parents who have had their kids purchase things from the app store without their approval might disagree.
Does FaceID recognize children as their parents?
Only if the parents have given their child the PIN and they also look similar enough to trigger against the existing facial model.
I personally wouldn't want even my close family members to have complete (read AND write!) access to my texts, emails, Facebook, etc. even though they don't pose a "genuine malicious threat", and I'd guess that's a fairly common sentiment. Privacy has merits beyond security ramifications.
From personal experience, close by people are far more likely to hack you than strangers. Systems should reflect this. For instance, WhatsApp Web shows a prominent notification. Signal does not. So one investigative technique is to get someone's phone for a minute, connect Signal to the desktop client, then rather silently have access to their account.

When it comes to unlocking phones, I'm far more worried about family, romantic partners, friends' kids playing pranks or trying to get a bit of cash than I am about some organized crime gang or CBP faking my face or fingerprint.

>>>Your facial features are very likely to be similar to people who live around you.

Is this your assumption or do you have a reference for this?

I think the assumption was that the people who live around you are genetically related to you aka family. I originally read the statement as meaning geography and proximity to strangers increases the chance that they’ll look like you.
I fail to see how this is relevant to FaceID which profiles the shape of your face. Similar to our senses and similar physiology that would give the same measurement results are not the same thing.
It's also far more likely for an attacker to have your photos upon which to build the authentication profile, than it is for them to have your fingerprint.

Apple is being misleading with that number, because it assumes an attacker would throw random photos/profiles at the iPhone X, not profiles that look very similar to you, which is far more likely to happen in practice.

Thinking about unlocking as an application of the Birthday Problem (or Paradox), can someone with better math skills than me calculate the # of iPhone X users in a room necessary to get to 50% chance that someone can unlock someone else's phone? This would ignore the problem in the article and assume 1 in 1e6 odds.

https://en.wikipedia.org/wiki/Birthday_problem

There's a formula in the article you linked.
Yes, but I didn't think to use Wolfram and couldn't figure out how to reduce the formula to avoid having to calculate 1e6!
R has a function for this

qbirthday(prob = 0.5, classes = 1e6, coincident = 2)

# 1178

You could also just calculate a bunch of the probabilities and find the minimum more "maunually"

in.room <- 1000:1500

probs <- sapply(in.room, function(x) prod(((1e6 - (x - 1)):1e6)/1e6))

in.room[which.min(abs(probs - .5))]

# 1178

This seems like a silly way to think about FaceID. You’d need 1000+ people to all try their faces on each other’s 1000+ phones to get the 50% chance of unlocking. That’s not the scenario biometric authentication is built for, which is why the phone would require a password after 5 failed attempts.
The problem with that is the ease with which anyone can compare their input to the 'key'; externally.

You could very quickly rule out 95% of the field with little effort, and people already do things like say "you look so much like X": we have a short list of collisions already.

Exactly. I'm more worried about if someone can make a mask of someone's face (or even a print out) and get it to work.

But at least it's not like people have pictures of their faces plastered across every social network...

... crap.

Apple specifically mentioned testing with high-end masks, and there have been videos made about people attempting it. It doesn’t work.
As others have said, those who have tried masks haven't worked. But I wonder if normal masks have different heat signatures than real faces, which an IR array can detect. It's possible that something as simple as standard mask + heat would fool the system. Hopefully not!
I agree and it wasn't the intent of the question. More of a purely academic way of putting "one in a million" into more human terms. And it didn't work, since I can't picture a room of 1250 people doing this, like you rightly point out.

But I also don't think the "brother who already knows the phone PIN code" a real world attack vector of concern to most people. I get that it could be an issue in narrow situations: you share your pin code, lookalike sibling uses it to "train" your phone; you change passcode not realizing that phone will still unlock for now-untrusted sibling.

Even in that scenario, I would bet that after a few days of normal usage by the phone's rightful owner alone the attack wouldn't work anymore. But, it's too soon to know.

When they say that the probability of Face ID accepting the wrong person is 1 in N, what do they actually mean?

Does it mean that if some random person who is not you tries to repeatedly unlock you phone, that person will succeed on average once every N tries?

Or does it mean that the set of all people can be sorted into two groups, (1) those who can unlock your phone almost all the time, and (2) those who cannot unlock your phone, with 1/Nth of the population being in the first group?

It means that if 1 million strangers tried to unlock your phone, one of them on average would succeed.

Obviously the phone requires a pin after 5 failures, but that’s another matter.

Free legal advice: dont lock your phone using biometrics like face id. A password is subject to constitutional protections. Your face is not.

Free first aid advice from a lawyer in the armed forces: good luck unlocking your phone after a head/face injury. Hospital will be so much more fun with your phone locked in emergency mode because it wont recognize your swollen face.

You realize you can still use your pin to open it it right?

And you can disable the biometrics with a simple key combination.

And when the police sieze your phone and use your face to unlock it before you can disable it? Ever wonder why apple allows for five tries with the fingerprint reader? They can guess whether you are right handed. After that there are only five digits to test.

As for if injured: go with something like a pin or pattern that doesn't require any paticular body part. My fingurprints never scan properly after swimming or rock climbing.

Apple added an Emergency mode in iOS 11 that’s accessible by clicking the sleep/wake button five times. It also disables Touch ID/Face ID and requires the passcode after that. So if you think your phone will be seized, it’s a pretty quick way to disable everything but the passcode.

https://www.macrumors.com/2017/08/17/ios-11-emergency-sos-di...

> So if you think your phone will be seized, it’s a pretty quick way to disable everything but the passcode.

Good luck if the cops assault you from behind or early in the morning...

By that logic they can also just assult you while the phone is unlocked... which is probably many more times than early in morning.
I've just tried this on my iPhone 7 for the first time (iOS 11.1) and it takes way more than 5 clicks to activate.
iPhone 6s with iOS 11.1 took exactly 5 clicks to bring up the emergency screen and disabled TouchID.
I'm not sure that "I should lock my iPhone biometrics" is going to be the first thing on anybody's mind when they're getting arrested.
Don't do this on your iPhone X... I just did this to test if it disabled Face ID, and it beeped really loudly with an emergency alert blip. It startled me and my dogs; I dropped it on my lap, and almost didn't get to cancel the 911 call before the 3 second timer went off.
Not 100% accurate - if you disable the "Auto Call" function, you don't have the alarm or timer. [1]

Turn off Auto Call

When Auto Call is on and you try to make an emergency call, your iPhone begins a countdown and sounds an alert. After the countdown ends, your iPhone automatically calls emergency services.

Here's how to change the setting:

Open the Settings app on your iPhone.

Tap Emergency SOS, then turn Auto Call on or off.

If you turn off this setting, you can still use the Emergency SOS slider to make a call.

[1] https://support.apple.com/en-us/HT208076

On iPhone X I believe you can just "squeeze" the phone by pressing buttons on both sides to activate this.
>go with something like a pin or pattern

The pin is required to enable biometrics, it’s not one or the other.

And when the police sieze your phone and use your face to unlock it before you can disable it?

If you think that members of law enforcement aren't going to use "rubber hose decryption" if they really want access to your phone, you trust them a lot more than I do.

Don't bother, dick scan unlock is the future, maaan.
It would appear that if you enter the PIN, it rescans your face; presumably as their faces are rather similar it can be trained to accept two faces. The OP wrote an extra comment explaining this:

https://www.reddit.com/r/iphone/comments/7anj9f/iphonex_face...

Edit: Oh, it seems they posted a follow-up video which explains the behaviour:

https://www.reddit.com/r/iphone/comments/7atwap/update_iphon...

It hasn't stopped news sites from reporting this however.

It's seems easy to screw up authentication with Face ID. Apple really did swallow a fly here [1] I wonder, has anyone compiled a full list of iPhone X fails? There are getting to be more than I can remember, but let's see...

1 + 2 + 3 = 24 [2]

The letter 'i' doesn't work on the default keyboard. [6]

$550 to repair the back glass, breaks on first drop [4]

Faster Geekbench, but slower real world usage than Note 8 [5]

Dropped fingerprint scanner because OLED [1]

Dropped face recognition accuracy because of supply issues [3]

Screen burn/color shifting because of OLED [7]

The camera bump and screen notch seem almost like forgetable fashion fumbles with all these issues. We are nearly to a Letterman top 10 list with iPhone X issues. I'm sure Samsung's ad dept will make lots of hay with this stuff.

Note 8 <check mark>

iPhone X

[1] https://www.bloomberg.com/gadfly/articles/2017-10-23/apple-l...

[2] https://qz.com/1114019/if-you-type-123-into-your-apple-iphon...

[3] https://www.cnbc.com/2017/10/25/apple-reduced-iphone-x-facei...

[4] https://www.cnet.com/news/apple-iphone-x-drop-test/

[5] https://youtu.be/s-Vn0h8Wfo0

[6] https://www.macrumors.com/2017/11/01/ios-11-predictive-text-...

[7] https://9to5mac.com/2017/11/03/iphone-x-oled-burn-in-color-s...

Steve Jobs would have fired a lot of people by now. I guess everyone feels job security with Tim Cook around. TC usually defends huge mistakes like these.

1. 1 + 2 + 3 does not = 24 on an iPhone. Rather, 1 + 23 = 24. Already fixed in upcoming iOS release.

2. This doesn't affect anyone I know, but I do see it in the Apple subreddit from time to time. Not as widespread as you may think.

3. Expensive things have a high cost of repair. Go check how much the windshield costs on a Tesla to replace.

4. Twice as fast Geekbench. The "real world" usage is switching between every app rapidly. Hardly "real world". Go time exporting a 4K 60 FPS video after editing.

5. TouchID had a 1 in 50,000 false positive rate. FaceID is 1 in 1,000,000. Seems like an upgrade to me.

6. Your link points to an article saying that is absolutely not true.

7. Just like every other Samsung OLED panel.

Starting apps is hardly a performance test, since a lot of the apps that are started actually seem to be loading network data before they display anything. So it seems to be indicating that the Note 8 outperforms the X on his network.

What would be interesting to investigate for somebody that likes to do a benchmark is how the download speeds are. Apple capped it's Qualcomm chips and Intel is just slower at the moment.

As someone who has worked on dozens of major corporate apps on the App Store I can assure you that the first point is flat out wrong.

You always display something immediately (usually with placeholder images) and then make the network call.

In fact on OSX you are asked (and strongly encouraged by Apple) to supply a startup image which is displayed whilst the app is still loading.

Obviously it's timed when actual content is on the screen.
As someone who has released dozens of apps in the App Store as well as someone who actually watched the video I am quite convinced that the reviewer always timed the moment the content was loaded, not when the empty state of the first screen was first loaded.
Weakly refute the list instead of adding to it as requested. Why even reply?
What's the point? The majority of your posts are anti-Apple, so it seems like you've already made up your mind. If you insist though, I'm more than willing to add.

Note 8 still doesn't have the latest Android OS[0]

Note 8 can be fooled with a photo[1]

Note 8 is powered by an operating system designed by an advertising company[2]

Note 8 CPU is 1/2 the speed of Apple's A11 Fusion[3][4]

The previous generation Note literally exploded. May take more than just 1 year to regain trust[5]

Samsung Pay prone to card skimming [6]

[0] http://bgr.com/2017/10/25/galaxy-s8-oreo-update-release-date...

[1] http://www.businessinsider.com/samsung-galaxy-note-8-facial-...

[2] https://www.samsung.com/us/galaxy/note8/switch-within-androi...

[3] https://browser.geekbench.com/android-benchmarks

[4] https://browser.geekbench.com/ios-benchmarks

[5] http://www.businessinsider.com/samsung-issues-galaxy-note-7-...

[6] https://www.theverge.com/2016/8/9/12410716/samsung-mobile-pa...

1. Is not fixed on 11.1.

Edit: Please be clear it still is upcoming, and not 'had been upcoming when the bug was publicised'; so a simple big in a calculator app takes them exactly 2 releases to fix.

"in upcoming iOS release"
So please be clear it still is upcoming, and not 'had been upcoming when the bug was publicised'; so a simple big in a calculator app takes them exactly 2 releases to fix.
7. was easily avoidable--just don't use an OLED panel. OLED is a flawed technology and it is really disappointing to see Apple switch to it.
It doesn't actually matter if it's a bug or a feature. If you share your passcode with someone, they might as well get in with their face. It's not a security risk.
Until you change your passcode to lock them out and they will have access via faceid. If they have an irrevocable access you don't know about, it's a security issue.
I don't think this is going to be an issue after even a few days' usage and training, but it's too soon to tell. As the brothers point out this seemed to only work on newly reset Face ID phones.

What bothers me more about all this is what a pain it is to pass a phone to my spouse now since you can't intentionally train more than one face. Wife and I routinely use each others phones and while we know the PIN codes, it sure is nice to avoid that hassle.

I have a twin and when we tried the Face ID demo with my face loaded in my brother could have it say 'face recognised'.

This would be conveinent for me because since we both commute to work I have to queue up a playlist or read his messages / email. But, I believe this was a design compromise that was pointed out in the product launch event.

If you have an identical twin you could have fooled a DNA test. I don't think it's a reasonable bar for an unlock-convenience to be more secure than that.
I agree, but to be fair, identical twins will be read as different people with a fingerprint scanner.
Face ID is going to be a monumental failure. It's going to annoy everybody who likes things to happen fast all the time because Face ID will definitely cause a delay and frustrate every user at some point.

Here are quotes from 2 of the very first reviews of this device:

"I will admit I have not tried Face ID yet, but it's hard to imagine a facial recognition system that solves the problem of having to carefully aim a phone at your face." - https://arstechnica.com/gadgets/2017/09/face-id-on-the-iphon... "[Face ID] worked the vast majority of times I tried it"... (NOTE: Not ALL the time) - and "...it’s definitely faster than the first generation of Touch ID, though perhaps slightly slower than the second gen." - https://techcrunch.com/2017/10/31/review-the-iphone-x-goes-t...

And while everyone is holding their breath to see if Face ID works, I can see a bigger problem - The lack of a home button is probably the worst design decision. They should have gone with dedicated virtual home button or better yet, stick with the iPhone 7 style home button. iOS 10 and 11 already has too many problems distinguishing between "global gestures" and "application gestures". Half the time when I start scrolling near the bottom of the screen the control center shows up. I'm looking forward to Apple's time being over. They are already obviously struggling to keep their market share because they can't come up with innovations that people actually want.

Well, at least you are aware of your bias in your approach to FaceID.
I use and like fingerprint unlock, which is what 60% successful? If face is better than that, then it's an improvement. I can't imagine it's worse.
Face ID is actually ridiculously good at recognizing my face. I haven't made any conscious effort to adjust how I look at my phone, which is usually just me lounging back in a big chair with it near my lap. That's terrible posture I know.

I think I've only had to readjust it once or twice, and it is for milliseconds.

Plus, the home bar is really like a virtual home button that you just have to swipe up for instead of pressing down.

> I will admit I have not tried Face ID yet

Sounds like a solid review!

I tried it... Over 5 years ago on Android.
Huh, I didn't realize that Android also has an exact, functional clone of FaceID–and not only that, but 5 years ago? Don't you think that in 5 years, Apple may have improved the technology to actually work?
Not even remotely the same thing. Android's version of facial recognition could be fooled by a photo. Face ID is so good that people have to argue over whether or not identical twins being able to trigger it is less secure than Touch ID.
"It's going to annoy everybody who likes things to happen fast all the time because Face ID will definitely cause a delay and frustrate every user at some point."

It doesn't. FaceID is faster and as reliable as TouchID was for me. Not to mention, with winter coming, have you tried using TouchID with cold fingers? Spoiler alert: it mostly fails.

"The lack of a home button is probably the worst design decision."

Disagree. App switching is faster than ever, the new gestures stick after ~30 minutes of use, unlocking my phone takes less time.

"Half the time when I start scrolling near the bottom of the screen the control center shows up."

The control center isn't accessed by swiping up on iPhone X, it's accessed by swiping down from the upper right "ear" of the screen. So this is a non-starter.

Source: I've been using my iPhone X with FaceID since Friday afternoon, iPhone user since 2008.

Every time anyone says Apple is going downhill, they have their best quarter ever.
Is the feature that it will "re-train" on a new but similar face once unlocked, and this is in order to handle normal slow change of people's faces?
This was addressed in the keynote in no uncertain terms. Starting at 12:12 here: https://youtu.be/eRvBU_tKGjE

Why this is such news to some is a mystery to me

Because of the reasonable expectation of security?
Because people are fools and can’t remember what the company specifically addressed in their own keynote on the actual tech barely a month after said keynote
Five years from now when I have a problem with this I will surely remember that at a keynote in 2017 something something 12 minutes and 12 seconds.
>IPhoneX Face ID fail?

Obviously not, since apart from the hair (or lack thereof), the two brothers look almost identical.

Apple itself said, and not just in some support document, but in the keynote, that it will fail if you have an "evil twin" or, well, an actual twin.

To me all arabs/chinese/Japanese look the same as well. I asked an Indian friend and he said they are not similar.
I don't have difficulty telling Indians (or Chinese etc. for that matter) apart -- I'm also not American myself, and have worked in Asian countries.

They just look very similar to me -- and apparently to Face ID too, and after all, they are siblings.

I'm more concerned about the fact that it seems you have to do a pointless finger swipe to get away from the lock screen even though the phone is actually unlocked. I'd be furious.
What if you want to check the time or notifications?
On a related note, I tried face ID with my identical twin’s iphone X, and sure enough it lets me in pretty much every time without any trickery with the PIN. It’s made me quite uncomfortable with the security it offers as we aren’t so identical as to be mistaken frequently, yet the phone unlocks almost every time...