Is Face ID secure? Apple takes on lingering questions
An Apple report should quell most privacy concerns about the iPhone X's facial recognition tech. But the company leaves a few questions unanswered.
Just how secure is Apple's new Face ID?
Apple on Wednesday released a technical white paper that offers a breakdown of the security behind Face ID, its new facial recognition tech.
For now the iPhone X will be Apple's only device using Face ID, but the authentication tool has already raised concerns on multiple fronts. Sen. Al Franken, a Democrat from Minnesota, wrote a letter to Apple CEO Tim Cook earlier this month asking how the Face ID data is stored and if it could be accessed by a third-party app. There have also been concerns about how the biometric tech, which uses multiple scanners for facial recognition, will be used in the courts and by police.
Apple's white paper answers questions like how much of your face's image the company actually stores, how long it saves the image and what apps can use Face ID. But it doesn't directly address how robust Face ID's privacy is when it comes to law enforcement. Here's what Apple did answer in its document:
How much of my face's data would be stored through Face ID?
Not much, unless you count a mathematical equation and infrared dot plots as your image.
Face ID doesn't capture your entire image, Apple said in its paper. It takes infrared images, which are represented by 30,000 dots, and creates a map of what your face would look like. It also keeps the "mathematical representation" of your face, rather than an image itself.
The background of your unlocking selfie isn't stored either. The enrollment image -- the first picture you take so Face ID can recognize you -- is cropped to your face only. Every time you unlock your phone using Face ID, the images are "immediately discarded once the mathematical representation is calculated" and compared to the enrolled data.
Apple lists Face ID features at an event earlier this month unveiling the iPhone X.
Where is the data being stored? Could hackers extract my image online?
The data is stored on the device's Secure Enclave chip and is available only there. It's encrypted, and the data "never leaves the device," according to Apple. Even Apple doesn't receive the data, and it's not stored when your phone backs up, either.
"Face ID data doesn't leave your device, and is never backed up to iCloud or anywhere else," Apple writes.
It's the same way data is stored for Touch ID, Apple's fingerprint reader. Because the data is stored on your device and not on a server or in a cloud, someone would have to have physical access to the device to be able to steal it. And even that would be difficult, considering that the Face ID data is encrypted.
The only time your Face ID data would be sent anywhere is if you agreed to transfer it for AppleCare tech support, and that would only be diagnostics data. You're allowed to review and approve what data gets sent, including your face's image. And it's automatically deleted after 90 days.
Will third-party apps be able to use Face ID?
Yes. Third-party apps will be able to use Face ID for authentication. Any apps you've used that tap Touch ID for that will automatically be able to support Face ID without any changes, Apple said.
But that doesn't mean the apps are getting your face's data. Face ID only tells the third-party apps whether the authentication went through -- it doesn't send your face's data along. The process is similar to making purchases with Face ID on the App Store and iTunes. You'll be able to do that with any app where developers allow for Face ID.
How did Apple account for diversity with Face ID?
Apple said it used more than a billion pictures to train Face ID to recognize people. Franken asked where the company got those billion images, a question Apple didn't answer. The company said it worked with a diverse group of people to account for different genders, ages, ethnicities and "other factors."
Does Face ID replace my password?
No. Face ID requires a password to be enabled. Apple said Face ID should actually make having a "longer, more complex passcode far more practical," since you won't need to enter it as often.
"Face ID doesn't replace your passcode, but provides easy access to iPhone X within thoughtful boundaries and time constraints," Apple writes. Also, there're a few circumstances where you'll need to enter your password to get in the phone:
- When it's just been turned on
- When it hasn't been unlocked for more than 48 hours
- When it received a remote lock command
- If you've made five unsuccessful attempts to unlock using Face ID
- When Emergency SOS is activated (holding the volume and side buttons for two seconds)
The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.
iHate: CNET looks at how intolerance is taking over the internet.