Why I'm Passing on iPhone X and Face ID—for Now

I hate passwords. They're clunky, unsafe, long and complex by necessity, hard to remember, and easy to forget. And hackers have their choice of ways to steal them: keyloggers, phishing scams, and data breaches.

But they do fail in predictable ways.

Unfortunately, the same can't be said about Apple's cutting-edge Face ID authentication technology. Released with the flagship iPhone X earlier this year, Face ID uses sophisticated tech to identify the person holding the phone. In addition to creating a 3D map of your face, Face ID uses machine learning to adapt as you, say, grow a mustache, don glasses, or move into different light settings.

All the effort that has gone into developing Face ID is intended to fix the flaws of previous face-authentication technologies, which could often be fooled with a still image or a flat video of a face. And to be fair, Apple has done a good job at preventing trivial hacks. The company claims the probability that a random person could look at your iPhone X ($999.00 at Verizon) and unlock it using Face ID is approximately 1 in 1,000,000.

But this complexity has introduced its own challenges and made Face ID behave in unpredictable ways. After looking at the wacky techniques people have used to test the limits of Face ID's security, I'm still finding it hard to define a common pattern in the ways it has failed.

For instance, Wired's $1,000 mask of reporter David Pierce didn't fool Face ID. But the $150 half-mask and fixed, printed eyes from Vietnamese security firm Bkav unlocked the iPhone X. And Face ID was able to tell the difference between identical twins, but it mysteriously thought a mother and her 10-year-old son were the same person. In two other tests, brothers who were years apart in age were able to unlock the same iPhone X.

Fooling Face ID

In Apple's defense, the demonstrated failures are all edge cases, and most of them are questionable. There are reasons to be suspicious of the method Bkav used to trick Face ID, and Apple has made it clear that the statistical probability of someone other than you unlocking your phone with Face ID changes when that person is your twin or a relative who looks much like you.

But what concerns me is that Face ID's AI algorithms can be gamed. The not-so-look-alike brothers who managed to unlock the same iPhone later explained how they forced it to fail and then entered the passcode manually several times. Though Apple is tight-lipped about how its technology works, it seems the two brothers were able to train the algorithm into thinking they were the same person. Bkav might have used a similar technique to trick the iPhone into thinking the mask was a variation of the owner's face.

Face ID's failures demonstrate the challenge of machine-learning algorithms. In contrast with traditional software, for which human developers provide the rules, machine-learning software defines its own rules by analyzing large sets of data and gleaning correlations and common patterns. For Face ID, the AI ingests maps and images of your face and creates its own rules for recognizing you.

The problem is that we don't exactly know what those rules are. This effectively turns the algorithms into black boxes whose behaviors and decisions often perplex users—and even their creators. An AI algorithm behaving strangely is not much of a problem when it's suggesting what you should buy or watch next. But when it's making sensitive decisions, unpredictable behavior can result in critical mistakes.

When you're relying on a technology to protect a device that holds access to a wealth of sensitive information—social media accounts, banking apps, and more—you want to know its limits and how it might fail. In this regard, Face ID has so far proven to be less reliable. Until Apple becomes more transparent about how Face ID works, I will stick with Touch ID on my iPhone 6s.

Apple iPhone X Preview