Apple has told us that Face ID is more secure than Touch iD. It’s the future. So Apple’s decision to use Touch ID on the new iPad mini and Air contradicts Apple’s stated privacy goal.
Apple often reminds us of two things.
- Apple only makes the best products.
- Apple products are designed to protect your privacy.
Given the above, one might expect Apple to charge a little more for those new iPads, include Face ID, and provide the best possible security. Instead, it sure looks like Apple has sacrificed security for cost savings.
Face ID vs. Touch ID
When the iPhone X shipped in November, 2017, there was a lot of discussion about the relative security of Touch ID vs. Face ID. I haven’t seen any detailed technical reports comparing the two. But we do have some data from Apple itself. That was used in this article explaining the relative security of the two methods. “Apple Security: Touch ID vs. Face ID.”
If you don’t have an identical twin, the risk of a random face unlocking your phone is 1 in 1,000,000 according to Apple….
Apple said that the chances of a random finger unlocking your phone is 1 in 50,000. Going off of that number alone, Face ID is 20x more secure than Touch ID.
Those numbers come from Apple’s Face ID Security document, page 2.
Appearance is Everything
If we believe that Face ID is more secure, it’s the next step in better device authentication, and that weaknesses have probably been discovered in Touch ID, (out since the iPhone 5s in 2013), then we have to assume that Apple is providing inferior technology in these two new iPads to lure the customer with a lower price. Is that trade-off a conscious decision we should be forced into?
Regarding the aging of technology, I believe this. Security technology is only excellent in the era in which it reigns. After that, it starts to decline in effectiveness. This is why we don’t use 56-bit DES encryption anymore.
On the other hand, if Apple feels that Touch ID is, in fact, actually just as secure as Face ID, the company should say so in order to justify its product design decision. I’m eager to hear Apple say more about this.
1 in 50,000 random fault rate is pretty low. At 10 fingers per thief, it would take 5000 thieves. The problem with random things is that you don’t really know if the fault will occur on the first attempt or on the 50,000th, or the first out of a million for Face ID. I’m not sure that the Touch or Face ID faults would really be random either. Is there really a security problem with Touch ID? No.
And saying that we don’t use 56 bit encryption for data transmissions anymore isn’t a supporting arguement for this form of security. Hacking data by monitoring it and using computer algorithms to decrypt it is nothing like the Face ID security hacking. Hacking data is going on by many thousands of thieves constantly. Hacking into your iPad with Touch ID is a single event.
I agree with other comments about Touch ID being secure enough. I certainly don’t want to pay any more for face recognition, especially if it’s less convenient.
Hello John:
@Doug Petrosky makes some salient points regarding the balance between relative cost and security, with an emphasis on the word ‘relative’. In most everyday situations, apart from professional or state-sponsored attacks, the relative gains in security between touch vs Face ID likely remain imperceptible and non-essential; all bets being off with state – sponsored exploits.
My first thought, when I saw the return to Touch ID with the iPad Air and Mini was convenience. While I love my iPad Pro latest gen with Face ID, I am often at the wrong angle or too far away to activate Face ID, and have had to type in my code far more frequently with this computer than I’ve had to since the introduction of Touch ID, which only requires that I be in arm’s reach. For my iPhone, that’s seldom a practical issue. For the larger device, it frequently is, as it is sitting on a surface and not in my hand. I’m sure that Apple are monitoring these data.
So, for some, apart from relative security and costs, might be user experience; but I think that Doug basically nailed it.
Is it a step backwards or pause? There may be technical problem to overcome though as Doug says it might be the cost.
I’ve listened to you for long enough to know you are not this stupid! This is not a matter of insecure or secure. This is not Samsung’s face recognition that can be circumvented with a photograph, this is Secure or even more Secure. That is not to say that there are not even more secure systems beyond FaceID but that fact doesn’t make FaceID insecure.
With no way of knowing if you are going to be that 1 in 50,000 match and with only a couple chances before you get locked out, touchID is plenty secure for even financial transactions. 1 in a million is even less likely but there are costs involved and Apple seeks to make the best possible devices that are in reach of their consumers. Otherwise all iPhones would have sapphire screens and ceramic backs. The cost to move to FaceID is assumed to be about $200 more than touchID. So a $499 10.5 inch ipad Air with FaceID is a $699 iPad Air which is too close to the $799 iPad pro 11 inch.
You are better than this John.