Some estimates put iPhone X sales this quarter at 30m. And don't forget that people are generally poor at estimating probabilities like this, consider the birthday problem as an example. It takes a group of ~1,200 people for a one in a million collision to be more likely than not to occur. It's very unlikely for it to happen to you, but it's very likely to happen to somebody.
Yet you didn't hear about this with the "1 in 50,000" Touch ID. It's not about brute force, but filtering (you know who has a similar face, you don't know who has a similar fingerprint) and input distribution (similar faces are more likely to be nearby than similar fingerprints).
It is pretty bad that a colleague can unlock your phone, but they would also be able to see and remember your 4-6 number pincode to unlock your phone as well, even touchId can be fooled by a person who happens to have a very similar fingerprint.
I feel Apple should let your train the FaceID a bit more so that it is more correct, or maybe a setting on how precise the match should be, as this is a clear example of where the Face detection is too loose to ease the user compared to the lower security.
According to Apple, Touch ID is far more likely to fail in this way. They say the false positive rate is 1 in 50,000 per fingerprint, and you can enroll up to five fingerprints, so the chances could be as high as 1 in 10,000. Face ID is supposedly 1 in a million. That’s still high enough that we’d expect to see stories like this from time to time.
No one can tell at a glance how similar two people's fingerprints might be, so finding a collision by accident is very hard. Finding similar-looking faces from a pool of candidates is, in contrast, very easy for humans.
It would probably be even easier to find matches if we knew the precise heuristics Apple employs for ignoring glasses, headwear, facial hair, and so on; to be at all practical the feature must have generous degrees of freedom, which in turn reduce discrimination.
Finally, as many have observed, there are plenty of situations where humans will be in close physical and social proximity to others with similar faces: twins, siblings, etc.
Even if collisions are as infrequent as Apple claims (which I find dubious), face identification is fundamentally a lock that is easier to "pick" than fingerprints. I am forced to conclude that depending on facial recognition is a poor engineering decision motivated by user convenience whose limitations are deliberately mischaracterized by marketing materials.
The main use case for a phone passcode is keeping your stuff secure in the event that it’s lost or stolen randomly.
Both technologies are fairly secure against run-of-the-mill thieves. They’re good enough that the market for stolen phones is probably reduced to breaking them down and selling them for spare parts.
If you happen to fall victim to a more sophisticated criminal, Touch ID is going to be way worse. Your phone is covered with the fingerprints needed to unlock it. It will take some sophistication to turn a print into something that can unlock the phone, but it’s doable.
There’s no equivalent for Face ID. Most likely the criminal doesn’t know what you look like at all, so they could try five random people and then get locked out with a probability of success of roughly 1 in 200,000. If they know who you are they could try to look you up and find similar looking people, but that’s going to take time and effort and you have to get it done within 48 hours, and the odds of success are still not great. (If it was easy to reliably unlock the phone with a similar-looking person, we would have heard a hundred stories like this by now.)
It’s far from perfect but I have no qualms trusting my security to it. It’s better than Touch ID and far better than the 0000 passcode I used before that.
As far as I am aware there is no reason to believe siblings or relatives should have similar fingerprints. On the other hand relatives are more likely to have similar facial features.
So for the people who have regular access to your phone, there is no reason to believe the fingerprints should be similar. There is reason to believe their appearances would be.
Depends on how you define "random" thief. Random as in someone taken randomly from anywhere on earth? Yeah, faceId is likely more secure. Is it random as in someone taken randomly from your city or country (which is the most likely scenario)? Then we're talking someone who is likely significantly closer genetically and in appearance to you, which greatly increases the odds of the thief being able to unlock the phone. In more isolated places like islands this effect is even more pronounced.
On the other hand, fingerprints don't suffer from that effect, as they're unaffected by genetic diversity.
We got a friends phone to unlock with her sisters face, but it required the phone to fail, enter correct passcode, fail, enter correct passcode. After two failed attempts (consistently, and after retraining) the iPhone had added enough of her sisters face that her sister could unlock it. I wish these unlock articles would state if the phone was "trained" to learn the new face.
Automatic re-train is a "feature" you cannot turn off, cannot turn on, have no visual feedback that it occurs, and ultimately weakens the security of your device.
If this is what is causing Face Unlock to fail then that's still just as much Apple's responsibility than any other methodology. You also have no way to knowing how much re-train has occurred since Apple doesn't provide that information.
To disable Face ID, open Settings > Face ID & Passcode, and tap Reset Face ID. Doing so will delete Face ID data, including mathematical representations of your face, from your device. If you choose to erase or reset your device using Find My iPhone or erasing all content and settings, all Face ID data will be deleted.
Scenario: I'm driving, my wife tells me I got a text. I tell her my passcode, so she can read it for me. iPhone considers this an opportunity to train the face recognition to recognize "me" better.
It doesn't bother me that she can unlock my phone, but I bet the facial model my phone has for "my" features is a weird hybrid.
Really? It’s been discussed a lot on various podcasts, on Twitter and I’ve heard multiple people IRL talk about that use case and the slightly annoyance it is with the iPhone X.
It is pretty common for spouses to have a finger added on their spouse’s phone for unlocking it with Touch ID, e.g., when you’re driving and get a message, you can give it to your spouse who can reply.
Many parents also have a finger added on their young children’s phones.
None if these scenarios are really possible with Face ID, because you’ll end up training Face ID with two faces. And while phones are usually used by only a single person, it is not an uncommon scenario to have a secondary user.
Yes, really. I don't listen to technical podcasts, and I haven't seen any Twitter or IRL stuff about it.
Anyway, if you want to have a shared phone like this, get one that has Touch ID. Apple offers both.
Or trust that Apple does this intelligently and doesn't train the facial recognition in this case when the face is too far out of bounds. As other commenters mentioned, I'm pretty sure that's how it works. It's not training based on your wife's face unless she looks a lot like you. And in that case, you want her to be able to unlock your phone, so isn't it a good thing?
That second face has to look a lot like yours to get adddd via training.
And if you are one of those couples that look alike enough to be able to train the phone, why do you care? You already gave your spouse full access via your passcode.
We do this as well, except now my wife just grabs my phone and points it at my face in the car to unlock rather than use the passcode. This works pretty easily if you have the “attention detection” feature turned off.
Not arguing this is ideal, but it works and avoids retrains, although Apple have publicly stated retrains only occur if they believe the face matches above a base threshold, which makes it much less likely a female face will retrain on a male Face ID user’s phone, and vice versa. It doesn’t retrain on every passcode entry.
I would guess that the training algorithm doesn't update your face unless the alternate face looks sufficiently similar to yours. This covers new facial hair and weight loss/gain, but would exclude the (very common) spouse issue that you describe — unless you look very similar.
Oh oops, I didn't read carefully enough. Regardless, I think if you're interested in real security, both TouchID and FaceID are terrible (easy to use your body, by force if necessary, to bypass those), and passcode is the only secure option. FaceID and TouchID are just conveniences not affordable to those who have something to lose.
Couldn't Apple fix this by only using data from 100% successful unlock attempts, meaning: If you unlock your phone without having to enter your passcode the data is used to train the model. If you had to enter the passcode - for any reason - the data is not used to train the model.
This would certainly make some edge cases (for example if you didn't use your phone for a while => changed facial features) less "magic" because you would always have to enter the passcode - but a simple "retrain" should then solve the problem... am I correct?
It depends on how you define racism. The meaning people use when calling stuff like this racist is not meant as an insult, and it's not even a comment on the character of the people doing it. Good people can do racist things by this definition since it's focused on systems instead of individuals.
Unfortunately, people rarely define their terms when talking about sensitive subjects. It'd save a lot of people a lot of stress.
Lots of people don't agree on exactly what racism means, but one thing that is always true is that it's evil. That's the core, most powerful, most enduring meaning of the word.
You're just making the motte of the motte-any-bailey argument: Oh, racism isn't an insult, just a neutral description of something. The goal here is to make the word as widely applicable as possible.
The bailey is, of course, that the company is racist! And that's evil! So it needs to shift resources towards whatever the accuser wants them to do.
There's a really, really easy solution here: don't buy an iPhone X.
If the technology is bad and dangerous, stop buying it. Publicly and loudly discourage people from buying it. Go to the media, drum up hysteria about the dangers of FaceID. Bury the technology under public skepticism. Convince people that biometrics are dangerous and put them at much greater risk than before, and send a clear message to the industry when biometric sales tank.
> If the technology is bad and dangerous, stop buying it. Convince people that biometrics are dangerous.
As an individual, I do what you suggest. The problem happens when it's imposed on you. Since most people couldn't care less about privacy, surveillance, and continuous data collection, the result is this:
- You don't want to give your biometrics for a driver's license or passport? Fine, but you won't be allowed to drive or travel. Or open a bank account or work or get social services.
- You don't want to enroll your fingerprints (or palm/retina/iris) for the locks and access cards at your new job. OK, but don't come back to work tomorrow.
- Soon, 3-5 years from now, when every smartphone uses facial recognition and it is mandatory, then what? Stick with your older smartphone? It won't run any future apps and won't have access to whatever new communication technologies that emerge.
You're giving constructive advice -- which is great. But it's not that easy when most people don't give a hoot about privacy and data collection, and it's very difficult to convince them otherwise.
Have you not seen enough evidence that this is harmful?
Put this info in context: frequency of this vs correctly guessing a passcode; probability that your attacker is also the person with a similar face; that it can be disabled.
I wish Face ID were perfect too. But please don't be rash.
What dangers of FaceID? It works great. You immediately got hysterical but apparently don’t even understand how it works.
95%+ of these cases where a very similar face can open the phone is because they trained the iphone to recognize both faces. Caused by very similar looking family members sharing passcodes, each failed attempt adds the face to the model. If you don’t want your very similar brother to access your iphone X, the fix is simple, dint give him your passcode.
FaceID is part of making phones even more secure. Most people won’t use passcodes. TouchID can’t work with gloves, wet/sweaty fingers, etc. FaceID is much easier to setup, and displays notification details without forcing you to unlock. Whichever you prefer, either allows you to have a far more secure passcode without it being a hassle.
I'm not making any comment on Face ID, but the fingerprint reader does not work brilliantly. I think it's pretty good, but it has some major shortcomings.
It works really poorly if you have moisture on your fingers (which is not uncommon for me). And on a number of occasions I've accidentally (and unknowingly) unlocked my phone while it's been in my pocket and subsequently a bunch of crazy stuff has happened (web-pages being opened, clicked through to weird places, accidental reply to an SMS etc).
I'm going to stick with TouchID. Even if my twin brother chose the same passcode as me and was able to unlock my phone with FaceID, he couldn't get past the fingerprint scanner.
We should not use biometrics to unlock anyway. I keep waiting for apple to combine biometrics with passcode, but they don't and seem unwilling do offer that as an option... why is that?
To be clear: face ID should authenticate you are the valid user, then prompt you for your passcode. Wrong face? No passcode challenge.
65 comments
[ 3.7 ms ] story [ 127 ms ] threadI even think that AI investments are going to be a major cause of the next stock market crash.
I feel Apple should let your train the FaceID a bit more so that it is more correct, or maybe a setting on how precise the match should be, as this is a clear example of where the Face detection is too loose to ease the user compared to the lower security.
It would probably be even easier to find matches if we knew the precise heuristics Apple employs for ignoring glasses, headwear, facial hair, and so on; to be at all practical the feature must have generous degrees of freedom, which in turn reduce discrimination.
Finally, as many have observed, there are plenty of situations where humans will be in close physical and social proximity to others with similar faces: twins, siblings, etc.
Even if collisions are as infrequent as Apple claims (which I find dubious), face identification is fundamentally a lock that is easier to "pick" than fingerprints. I am forced to conclude that depending on facial recognition is a poor engineering decision motivated by user convenience whose limitations are deliberately mischaracterized by marketing materials.
Both technologies are fairly secure against run-of-the-mill thieves. They’re good enough that the market for stolen phones is probably reduced to breaking them down and selling them for spare parts.
If you happen to fall victim to a more sophisticated criminal, Touch ID is going to be way worse. Your phone is covered with the fingerprints needed to unlock it. It will take some sophistication to turn a print into something that can unlock the phone, but it’s doable.
There’s no equivalent for Face ID. Most likely the criminal doesn’t know what you look like at all, so they could try five random people and then get locked out with a probability of success of roughly 1 in 200,000. If they know who you are they could try to look you up and find similar looking people, but that’s going to take time and effort and you have to get it done within 48 hours, and the odds of success are still not great. (If it was easy to reliably unlock the phone with a similar-looking person, we would have heard a hundred stories like this by now.)
It’s far from perfect but I have no qualms trusting my security to it. It’s better than Touch ID and far better than the 0000 passcode I used before that.
As far as I am aware there is no reason to believe siblings or relatives should have similar fingerprints. On the other hand relatives are more likely to have similar facial features.
So for the people who have regular access to your phone, there is no reason to believe the fingerprints should be similar. There is reason to believe their appearances would be.
In any case, I’m not trying to defend against my brother, I’m trying to defend against a random thief. They probably won’t look too much like me.
On the other hand, fingerprints don't suffer from that effect, as they're unaffected by genetic diversity.
Automatic re-train is a "feature" you cannot turn off, cannot turn on, have no visual feedback that it occurs, and ultimately weakens the security of your device.
If this is what is causing Face Unlock to fail then that's still just as much Apple's responsibility than any other methodology. You also have no way to knowing how much re-train has occurred since Apple doesn't provide that information.
https://support.apple.com/en-us/HT208108
To disable Face ID, open Settings > Face ID & Passcode, and tap Reset Face ID. Doing so will delete Face ID data, including mathematical representations of your face, from your device. If you choose to erase or reset your device using Find My iPhone or erasing all content and settings, all Face ID data will be deleted.
It doesn't bother me that she can unlock my phone, but I bet the facial model my phone has for "my" features is a weird hybrid.
It is pretty common for spouses to have a finger added on their spouse’s phone for unlocking it with Touch ID, e.g., when you’re driving and get a message, you can give it to your spouse who can reply.
Many parents also have a finger added on their young children’s phones.
None if these scenarios are really possible with Face ID, because you’ll end up training Face ID with two faces. And while phones are usually used by only a single person, it is not an uncommon scenario to have a secondary user.
Anyway, if you want to have a shared phone like this, get one that has Touch ID. Apple offers both.
Or trust that Apple does this intelligently and doesn't train the facial recognition in this case when the face is too far out of bounds. As other commenters mentioned, I'm pretty sure that's how it works. It's not training based on your wife's face unless she looks a lot like you. And in that case, you want her to be able to unlock your phone, so isn't it a good thing?
And if you are one of those couples that look alike enough to be able to train the phone, why do you care? You already gave your spouse full access via your passcode.
She can change the music on my phone while driving, look up stuff for me to enter into maps, and do everything else with it.
Not arguing this is ideal, but it works and avoids retrains, although Apple have publicly stated retrains only occur if they believe the face matches above a base threshold, which makes it much less likely a female face will retrain on a male Face ID user’s phone, and vice versa. It doesn’t retrain on every passcode entry.
https://images.apple.com/business/docs/FaceID_Security_Guide...
https://support.apple.com/en-us/HT208108
https://xkcd.com/538/
If you give your passcode to someone with extremely similar facial features, you should expect that they'll be able to unlock your phone.
This would certainly make some edge cases (for example if you didn't use your phone for a while => changed facial features) less "magic" because you would always have to enter the passcode - but a simple "retrain" should then solve the problem... am I correct?
Unfortunately, people rarely define their terms when talking about sensitive subjects. It'd save a lot of people a lot of stress.
You're just making the motte of the motte-any-bailey argument: Oh, racism isn't an insult, just a neutral description of something. The goal here is to make the word as widely applicable as possible.
The bailey is, of course, that the company is racist! And that's evil! So it needs to shift resources towards whatever the accuser wants them to do.
If the technology is bad and dangerous, stop buying it. Publicly and loudly discourage people from buying it. Go to the media, drum up hysteria about the dangers of FaceID. Bury the technology under public skepticism. Convince people that biometrics are dangerous and put them at much greater risk than before, and send a clear message to the industry when biometric sales tank.
Anything else is hypocrisy.
Or buy one if you want one and use an alphanumeric passcode if you don't like biometrics.
And if for some reason they do, change platforms then.
Long ago, no one thought mobiles and laptops would not have removable batteries either.
The idea Apple would remove passcodes is a paranoid fantasy on par with them removing the touch screen to force you to use Siri.
As an individual, I do what you suggest. The problem happens when it's imposed on you. Since most people couldn't care less about privacy, surveillance, and continuous data collection, the result is this:
- You don't want to give your biometrics for a driver's license or passport? Fine, but you won't be allowed to drive or travel. Or open a bank account or work or get social services.
- You don't want to enroll your fingerprints (or palm/retina/iris) for the locks and access cards at your new job. OK, but don't come back to work tomorrow.
- Soon, 3-5 years from now, when every smartphone uses facial recognition and it is mandatory, then what? Stick with your older smartphone? It won't run any future apps and won't have access to whatever new communication technologies that emerge.
You're giving constructive advice -- which is great. But it's not that easy when most people don't give a hoot about privacy and data collection, and it's very difficult to convince them otherwise.
Have you not seen enough evidence that this is harmful?
Put this info in context: frequency of this vs correctly guessing a passcode; probability that your attacker is also the person with a similar face; that it can be disabled.
I wish Face ID were perfect too. But please don't be rash.
95%+ of these cases where a very similar face can open the phone is because they trained the iphone to recognize both faces. Caused by very similar looking family members sharing passcodes, each failed attempt adds the face to the model. If you don’t want your very similar brother to access your iphone X, the fix is simple, dint give him your passcode.
FaceID is part of making phones even more secure. Most people won’t use passcodes. TouchID can’t work with gloves, wet/sweaty fingers, etc. FaceID is much easier to setup, and displays notification details without forcing you to unlock. Whichever you prefer, either allows you to have a far more secure passcode without it being a hassle.
Face ID is an answer to a question no one asked. I’m sure I’d acclimate but the fingerprint reader works brilliantly.
I'm not making any comment on Face ID, but the fingerprint reader does not work brilliantly. I think it's pretty good, but it has some major shortcomings.
It works really poorly if you have moisture on your fingers (which is not uncommon for me). And on a number of occasions I've accidentally (and unknowingly) unlocked my phone while it's been in my pocket and subsequently a bunch of crazy stuff has happened (web-pages being opened, clicked through to weird places, accidental reply to an SMS etc).
To be clear: face ID should authenticate you are the valid user, then prompt you for your passcode. Wrong face? No passcode challenge.