Apple claims Face ID and Touch ID are secure, and for the most part that’s true. It’s extremely unlikely a random person could unlock your phone. But that’s not the only type of attack to worry about it. Let’s dig a little deeper.
Although they use different biometric authentication methods, Face ID and Touch ID are very similar under the hood. When you try to log in to your iPhone—either by looking at the camera on the front or putting your finger on the touch sensor—the phone compares the biometric data it detects with the data that’s saved in the Secure Enclave—a separate processor that’s entire purpose is to keep your phone secure. If the face or fingerprint matches, your iPhone unlocks. If not, you’re prompted to enter your passcode. While all this sounds good on paper, is it secure?
Face ID and Touch ID are Generally Secure
In general, Touch ID and Face ID are secure. Apple claims that there is a 1 in 50,000 chance that someone else’s fingerprint will falsely unlock your iPhone and a 1 in 1,000,000 chance that someone else’s face will do it. There’s a 1 in 10,000 someone could just guess a four digit passcode and a 1 in 1,000,000 chance they could guess your six digit passcode (and they get three tries before they’re locked out). That should put things into perspective.
The chance that someone could randomly pick up—or steal—your phone, and then be able to unlock it by using their fingerprint, face, or even by guessing your passcode is incredibly slim.
The one caveat to this is identical twins or siblings that look very similar are more likely to create a false positive. In that case, there is a chance that your sibling might be able to unlock your phone with Face ID. However, identical twins only make up 0.003% of the population, so it’s not a risk that applies to many. If this is something you’re worried about, you can turn off Face ID and just use a secure passcode.
But, guarding against this kind of casual intrusion isn’t the only thing to be concerned about.
Face ID and Touch ID May Be Vulnerable to Targeted Attacks
While it’s almost certain that no random stranger will be able to get into your phone, if you’re the victim of a targeted attack, things might be a little different.
Both Touch ID and Face ID are completely vulnerable if someone can force you to log in, either by holding your finger against the sensor (even when you’re asleep) or making you look at your phone. And those two types of attacks are much easier to pull off than forcing someone to give over their passcode.
So, what about faking fingerprints? Well, Touch ID has successfully been hacked. Researchers have been able to use fake finger prints to unlock devices secured with Touch ID. However, the same researchers call the technique “anything but trivial” and “still a little bit in the realm of a John le Carré novel.”
Basically, what the attackers need is a complete high resolution, non-smudged copy of your finger print, as well as thousands of dollars worth of equipment. In theory, someone who was really determined could probably get into your phone this way—possibly even from a photo of your fingerprint. The thing is, the data on the iPhones of the vast majority of people out there simply aren’t worth the cost and hassle of this kind of attack.
Plus, if you do have data that sensitive or valuable, you’re likely taking extra steps to secure that information. This is not the sort of thing that can be done quickly to random strangers.
Face ID hasn’t been hacked yet, but realistically, it will probably end up susceptible to the same kind of attacks as Touch ID. Wired spent several thousand dollars attempting to do it and failed, but that doesn’t mean it can’t be done. Marc Rogers, a hacker who advised Wired on the piece, is “still 90 percent sure [hackers] can fool this.” The iPhone X has only been out a few months, so we’ll see what the situation is like in a year.
What it all comes down to is one of the truisms of security. No method of authentication will ever stand up to a sufficiently determined attacker. There are always flaws that can be used; it’s just a matter of how easy they are to take advantage of.
Nothing Protects You From the Government
No amount of security can ever truly protect you from a determined government agency—US or otherwise—with essentially unlimited resources and a desire to get into your phone. Not only can they legally compel you to use Touch ID or Face ID to unlock your phone, but they also have access to tools like the GreyKey. GreyKey can supposedly crack any iOS device passcode, which makes Touch ID and Face ID useless. Apple works hard to close the vulnerabilities devices like this exploit, but people hoping for a pay day work equally hard to open new ones.
Touch ID and Face ID are incredibly convenient and—if they’re backed up with a strong passcode—secure for daily use by almost everyone. If you are the target of a determined hacker or government agency, however, they might not protect you for long.