Face ID


Face ID is a facial recognition system designed and developed by Apple Inc. for the iPhone and iPad Pro. A successor to Touch ID, the system allows biometric authentication for unlocking a device, making payments, and accessing sensitive data, as well as providing detailed facial expression tracking for Animoji and other features. Initially released in November 2017 with the iPhone X, it has since been updated and introduced to most new iPhone models, and all iPad Pro models.
The Face ID hardware consists of a sensor with three modules; a dot projector that projects a grid of small infrared dots onto a user's face, a module called the flood illuminator that reads the resulting pattern and generates a 3D facial map, and an infrared camera which takes an infrared picture of the user. This map is compared with the registered face using a secure subsystem, and the user is authenticated if the two faces match sufficiently. The system can recognize faces with glasses, clothing, makeup, and facial hair, and adapts to changes in appearance over time.
Face ID has sparked a number of debates about security and privacy. Apple claims that Face ID is significantly more advanced than Touch ID. It has a significantly less amount of false positives. Still, Face ID has shown issues at separating identical twins. Multiple security features largely limit the risk of the system being bypassed using photos or masks, and only one proof-of-concept attempt using detailed scans has succeeded. Debate continues over the lack of legal protections offered by biometric systems as compared to passcode authentication in the United States. Privacy advocates have also expressed concern about third-party app developers' access to "rough maps" of user facial data, despite rigid requirements by Apple of how developers handle facial data.

History

announced Face ID during the unveiling of the iPhone X on September 12, 2017. The system was presented as the successor to Touch ID, Apple's previous fingerprint-based authentication technology embedded in the home button of the iPhone 8 and earlier devices. On September 12, 2018, Apple introduced the iPhone XS and XR with faster neural network processing speeds, providing a significant speed increase to Face ID. On October 30, 2018, Apple introduced the third generation iPad Pro, which brings Face ID to the iPad and allows face recognition in any orientation. On September 10, 2019, Apple announced the iPhone 11, 11 Pro, and 11 Pro Max, which all had the third generation Face ID which is 30% faster than Face ID on the iPhone XS.

Technology

Face ID is based on a facial recognition sensor that consists of two parts: a dot projector module that projects more than 30,000 infrared dots onto the user's face, and an infrared camera module that reads the pattern. The pattern is encrypted and sent to a local "Secure Enclave" in the device's CPU to confirm a match with the registered face. The stored facial data is a mathematical representation of key details of the face, and it is inaccessible to Apple or other parties. To avoid involuntary authentication, the system requires the user to open their eyes and look at the device to attempt a match, although this can be disabled through an accessibility setting. Face ID is temporarily disabled and the user's passcode is required after 5 unsuccessful scans, 48 hours of inactivity, restarting the device, or if two of the device's side buttons are held briefly.
Apple claimed the probability of someone else unlocking a phone with Face ID is 1 in 1,000,000 as opposed to Touch ID at 1 in 50,000. During initial setup, the user's face is scanned twice from a number of angles to create a complete reference map. As the system is used, it learns about typical variations in a user's appearance, and will adjust its registered face data to match aging, facial hair growth, and other changes using the Neural Engine. The system will recognize a face wearing hats, scarves, glasses, most sunglasses, facial hair or makeup. It also works in the dark by invisibly illuminating the whole face with a dedicated infrared flash module.
Authentication with Face ID is used to enable a number of iOS features, including unlocking the phone automatically on wake, making payments with Apple Pay, and viewing saved passwords. Apps by Apple or third party developers can protect sensitive data with a system framework; the device will verify the user's identity and return success or failure without sharing face data with the app. Additionally, Face ID can be used without authentication to track over 50 aspects of a user's facial expression and positioning, which can be used to create live effects such as Animoji or camera filters.

Devices with Face ID

Face ID uses an infrared flood illuminator and dot projector, though Apple insists that the output is low enough that it will cause no harm to the eyes or skin, and meets 'international safety standards'. They do not, however, recommend the sensor be repaired by third parties, and there is an inbuilt feature to deactivate Face ID should faulty components be found.

Issues

Twins and close relatives

Inconsistent results have been shown when testing Face ID on identical twins, with some tests showing the system managing to separate the two, while other tests have failed. The system has additionally been fooled by close relatives. Apple states that the probability of a false match is different for twins and siblings, as well as children under 13 years of age, as "their distinct facial features may not have fully developed".

Law enforcement access

Face ID has raised concerns regarding the possibility of law enforcement accessing an individual's phone by pointing the device at the user's face. United States Senator Al Franken asked Apple to provide more information on the security and privacy of Face ID a day after the announcement, with Apple responding by highlighting the recent publication of a security white paper and knowledge base detailing answers.
The Verge noted that courts in the United States have granted different Fifth Amendment rights in the United States Constitution to biometric unlocking systems as opposed to keycodes. Keycodes are considered "testimonial" evidence based on the contents of users' thoughts, whereas fingerprints are considered physical evidence, with some suspects having been ordered to unlock their phones via fingerprint.

Infiltration

Many people have attempted to fool Face ID with sophisticated masks, though most have failed. In November 2017, Vietnamese security firm Bkav announced in a blog post that it had created a $150 mask that successfully unlocked Face ID, but WIRED noted that Bkav's technique was more of a "proof-of-concept" rather than active exploitation risk, with the technique requiring a detailed measurement or digital scan of the iPhone owner's face, putting the real risk of danger only to targets of espionage and world leaders.

Third-party developers

If the user explicitly grants a third-party app permission to use the camera, the app can also access basic facial expression and positioning data from Face ID for features such as precise selfie filters such as those seen in Snapchat, or game characters mirroring real-world user facial expressions. The data accessible to third parties is not sufficient to unlock a device or even identify a user, and Apple prohibits developers from selling the data to others, creating profiles on users, or using the data for advertising. The American Civil Liberties Union and the Center for Democracy and Technology raised privacy questions about Apple's enforcement of the privacy restrictions connected to third-party access, with Apple maintaining that its App Store review processes were effective safeguards. Jay Stanley, a senior policy analyst with the ACLU, has stated that the overall idea of letting developers access sensitive facial information was still not satisfactorily handled, with Stanley telling Reuters that "the privacy issues around of the use of very sophisticated facial recognition technology for unlocking the phone have been overblown. The real privacy issues have to do with the access by third-party developers".