Face ID is undeniably more secure than Touch ID in a random sampling of population. Apple says the chance of a person unlocking your phone with Face ID is 1 in a million.
However, that probability can be considerably lower for siblings, twins and children under the age of 13. A new video from a mother highlights exactly these limitations; she finds her 10-year old son can reliably unlock her phone using his face. Video after the jump …
In the security white paper, Apple recommends disabling the Face ID feature if you are concerned about identical twins or siblings unlocking the device. However, it’s a tough sell because using the face unlock is so much more convenient than typing in a passcode.
The two family members do share a similarity in how they look, but it’s not exactly what you would call a striking resemblance. The child is only ten years old, so the ‘undeveloped facial features’ may be playing a role here.
What also might be happening is that Face ID on the iPhone has trained itself to the son accidentally during the repeated testing when making the video. Here’s how Apple describes this process:
This means that if the son initially fails to unlock his parent’s device, but then the password is entered whilst in view of the sensor, his Face ID data can be brought into the neural network’s processing. This would make it more likely for his face to unlock the device in future, even if the initial setup process was the mother alone.
In a WIRED article interviewing the mother, they claim that this was not what had happened. However, it’s honestly the most likely explanation for how this would work and it’s very easy to accidentally train it without thinking. The lack of defined facial features for the child will also play a role here.
The article also suggests that the lightning conditions of the initial training had a noticeable effect on the accuracy in this particular case:
At WIRED’s suggestion, Malik asked his wife to re-register her face to see what would happen. After Sherwani freshly programmed her face into the phone, it no longer allowed Ammar access. To further test it, Sherwani tried registering her face again a few hours later, to replicate the indoor, nighttime lighting conditions in which she first set up her iPhone X. The problem returned; Ammar unlocked the phone on his third try this time. It worked again on his sixth try. At that point, Malik says, the phone’s AI seemed to learn Ammar’s features, and he could consistently unlock it again and again.
Touch ID included much of the same learning mechanisms as Face ID but the difference between the two is that genetics do not make it more likely for people you know (your family) to have similar fingerprints as you. In contrast, it is much more likely for a member of your family to look similar to you and confuse the Face ID learning process.
The training process for Face ID only kicks in if the face data matches to a ‘certain threshold’. What Apple may do in a future software update is increase this threshold of likeness. This would reduce the number of false-positives for the training to consider, making it harder for face data from family members to contribute to the learning process.
The downside of doing this is that Face ID would take longer to learn about situations where it really is you unlocking it, but fails to recognise you.
Another possible way Apple could improve the reliability of Face ID for people with similar-looking family members is to offer an ‘advanced training mode’ in Face ID settings.
The initial Face ID setup process only asks for two scans of a person’s face. An additional training mode would allow users to optionally add more ‘trusted’ information to the Face ID system, improving the neural network models with more data. This would reduce the chance of incorrect matches with family members.