Apple publishes white paper explaining usage and security of iPhone X Face ID

By Malcolm Owen

Apple has taken steps to educate potential owners of the iPhone X about Face ID ahead of its release on Nov. 3, releasing a white paper alongside a support document that explains how the biometric authentication technology works to keep the user's data secure.

Found within Apple's revamped privacy pages, the Face ID Security white paper gives an overview of how Face ID operates, as well as how users can expect to use the authentication system. Introduced as a replacement for Touch ID in the iPhone X, the six-page document is an attempt to convince wary potential users that Face ID is at least as secure as the well-known Touch ID, and that they have little to fear from the security change.

Along with the white paper, Apple has updated its support pages to include a briefer explanation of the technology and its security.

The overview of FaceID explains simply that the TrueDepth camera system accurately maps the geometry of the user's face using "advanced technologies," which consists of an infrared camera, a 7-megapixel camera sensor, a flood illuminator, and a dot projector. Confirming the attention of the user by detecting the direction of their gaze, Face ID then uses neural networks to match and prevent spoofing attempts to unlock the phone, with the system automatically adapting to changes in the user's appearance over time.

A passcode must be set up on the iPhone X before the user can set up Face ID, with Apple advising the passcode can be made longer and more complex as it will not need to be entered frequently. The passcode will still be requested from users in a number of circumstances, including when the iPhone X has just been turned on or restarted, hasn't been unlocked for more than 48 hours, the device has been remotely locked, after five failed Face ID unlock attempts, and after initiating an Emergency SOS mode.

Users will also be required to use the passcode if it hasn't been used to unlock the iPhone X in the last 156 hours and if Face ID has not been used successfully in the last four hours. When Face ID is enabled, the device will immediately lock when the side button is pressed or when the device goes to sleep, with either the facial match or passcode required to wake the iPhone X each time.

As raised during the September unveiling, it is claimed Face ID has a one in a million chance of being unlocked by a random person looking at the iPhone X, compared to a 1 in 50 thousand false positive chance for Touch ID. The chance of a false match does increase for twins and siblings who bear a similar appearance to one another, as well as for children under the age of 13, which Apple claims is due to the possibility that distinct facial features may not have fully developed, with Apple suggesting to keep using the passcode to authenticate in these cases.

Going into more detail about how the system works, the document explains over 30,000 infrared dots are projected onto the user's face and are read by the TrueDepth camera, with a depth map and 2D infrared image combined to create a sequence of images and depth maps that are digitally signed and stored in the Secure Enclave. For extra security, this sequence is randomized, with the infrared dot pattern also given a device-specific randomization.

A section of the A11 Bionic chip's neural engine, protected within the Secure Enclave, turns this data into a mathematical representation, which is then compared to the enrolled facial data, itself a mathematical representation of the user's face captured during enrollment. An additional neural network, trained to detect spoofing attempts, is also used in the facial data analysis.

There are three types of Face ID data that are encrypted and stored in the Secure Enclave, data which Apple insists does not leave the device, is not sent to Apple, and is not included in device backups. The infrared images and mathematical representations created during enrollment are stored alongside any other mathematical representations calculated during some unlock attempts, if Face ID deems them useful to improve future matching attempts.

This extra stored data is useful to the iPhone X as it provides more reference points for Face ID to authenticate the user, allowing it also to take into account both temporary and longer-term changes in their appearance.

As the neural networks may update over the device's ownership, the iPhone X will be able to automatically run any stored images within the Secure Enclave through the updated neural network. To minimize the amount of background information, the enrollment images are cropped to just the user's face. Face images captured during unlocking are not saved, and are immediately discarded once the mathematical representation has been calculated.

As for daily use outside of unlocking the iPhone X, Apple includes sections explaining how Face ID works with Apple Pay and with third-party apps.

For Apple Pay purchases in stores, users have to confirm intent to pay by a double-tap of the side button, followed by a Face ID authentication, before placing the iPhone X near the contactless reader. Users will have to reauthenticate with Face ID if they change a different Apple Pay payment method, but will not need to tap the button again.

For apps and online purchases, the same double-tap and Face ID authentication process takes place, but if the transaction is not completed within 30 seconds of pressing the side button, users will have to reconfirm their intent to pay by double-clicking a second time.

Third-party apps are able to use Face ID or the passcode to authenticate users using system-provided APIs, with apps that currently support Touch ID automatically supporting Face ID without any changes. These apps cannot access Face ID data, but instead are notified only if the authentication succeeded or failed.

While Apple does stress the Face ID data is only stored on the iPhone X and is not transmitted to the company, it is possible for a user to provide Face ID diagnostic data to AppleCare for support purposes, though not any Face ID data created prior to a support request.

After receiving a digitally signed authorization from Apple, users have to go through the Face ID enrollment again as the original Face ID data is wiped, with the iPhone X then automatically recording Face ID images during authentication attempts for a seven-day period. This specifically-collected data is not automatically sent to Apple, as users have a chance to review and approve the data before it is encrypted and dispatched, then deleted from the iPhone X.

If users using the Face ID diagnostics do not conclude the session, the diagnostic images will be deleted automatically after 90 days. Users can also disable and delete the diagnostic data at any time.

During Apple's September event, executive Craig Federighi's live demonstration of Face ID suffered a mishap where the first iPhone X used failed to authenticate and required a passcode, forcing the presentation to switch to a backup device. After the event, it was revealed Face ID was working as designed, but the company believes it tried to authenticate employees tasked with setting up the demonstration area before the big reveal, using up the limited number of failed authentication attempts.