As expected, Apple unveiled a new facial-recognition feature called Face ID today (Sept. 12) at the company's Cupertino, California, campus.
Face ID replaces the fingerprint-based Touch ID unlock system on the flagship iPhone X model, which has no Home button. (The new iPhone 8 and 8 Plus models do retain Touch ID.)
From a security standpoint, this a step backward. Facial recognition is much less accurate than fingerprint recognition, which is in turn much less accurate than a passcode.
Apple's implementation will probably be more secure than the facial recognition on many Android phones. Company executive Phil Schiller noted that Face ID verifies the user by using infrared cameras to sense body heat, a 3D camera to measure depth, and a dot-matrix system to map facial features. That's similar to what Microsoft has done with its own Windows Hello system, which until now has been the gold standard among facial-recognition systems on consumer devices.
Schiller said Apple engineers built Face ID so that it couldn't be fooled by photos or masks, and claimed — improbably — that the system would have a false-positive rate of only one in a million. (By contrast, Schiller said, Touch ID's false-positive rate was one in 50,000. Microsoft claims a false-positive rate of one in 100,000 for Windows Hello.)
You should nevertheless expect to soon see a few news items about iPhone X units being unlocked by photographs, by video clips and by people who just look like the phones' rightful owners.
Facial recognition will never be perfect, and it's best regarded as a convenience rather than a security feature. If you really want to make sure your phone is locked, default to a passcode.
"To date, there is nothing more reliable than a long randomized password," said Leigh-Anne Galloway, cyber security resilience officer at Positive Technologies in London. "Fingerprint scanning, facial recognition, Bluetooth, geolocation and even a short PIN are all ways to simplify access not only for yourself, but also for a potential attacker."
Some privacy advocates and political activists worried that Face ID could be abused by police and other authorities to unlock phones without the users' consent.
"With FaceID, cops can just point your phone at your face while they have you in handcuffs then look through your phone without a warrant," tweeted a guy calling himself Jerrah Mormont. (You could, however, just close your eyes.)
Meanwhile, the small but renowned community of biometrics hackers were itching to have a go at Face ID to see if they could fool it.
"I can't wait to see how Apple thinks they can turn the world's most exposed credential (your face) into a secure key," tweeted Marc Rogers, a famed hacker and head of information security for CloudFlare in San Francisco. "Game on."