Last updated: 1 month ago
Apple removed the physical Home button and Touch ID sensor with the launch of the iPhone X. By supporting face recognition, users can quickly unlock an iPhone or iPad Pro, sign in to services, and approve purchases without needing to press a button or manually enter a password.
● Quickly unlocks using your face
● Secure Enclave
● AES-256 encryption
● TrueDepth camera
Apple's Face ID is the successor to its Touch ID technology, moving biometric hardware-based authentication from the finger to the face. It relies on the company's TrueDepth sensor platform to capture the user's face and generate a 3D map. The key takeaway to this method is "depth," as this platform prevents others from using a photo or mask to unlock the device.
Devices with Face ID
Here is a current list of iPhones:
Here are the supported iPads:
Face ID and TrueDepth
This system requires multiple hardware components to enable face recognition securely.
First, when motion is detected, the TrueDepth Infrared camera looks for a face. If one is found, the proximity and ambient light sensors determine the amount of light needed for face recognition. A Flood Illuminator then washes the user's face with invisible infrared light. The front-facing camera confirms the presence of a face.
During the enrollment, Face ID creates 3D maps with a Dot Projector that projects a device-specific random pattern of over 30,000 invisible dots across the user's face. At the same time, Apple's TrueDepth Infrared Camera captures 2D infrared versions of the user's face. Enrollment requires the user to rotate their face while looking at the device, completing a circle, to capture multiple angles.
Once complete, this combined data is sent to the application processor. The neural engine turns this information into a mathematical representation. This data is then encrypted and stored on the device while the primary encryption key resides within the Secure Enclave. This "class" key is not accessible to anyone, not even Apple.
The TrueDepth system automatically activates when device owners tap the screen, raise the device, or when a notification wakes the screen. When the user attempts to unlock the device, the TrueDepth system captures a new image. This data goes to the neural engine and is compared with the encrypted data stored in the file system.
This face-matching is based on neural networks trained explicitly for matching faces. Apple states that the chance of a random stranger unlocking a device using face identification via a single enrolled appearance is 1 in 1,000,000. By comparison, Touch ID is 1 in 50,000.
This system works with hats, glasses, many sunglasses, and scarves. Significant changes require the user to reenroll their face, like shaving off a heavy beard. Apple states that the stored data is refined and updated each time users successfully unlock the device using face recognition. Additionally, this system updates the data if face recognition only finds a close match and forces the user to enter a passcode.
Apple recommends using a passcode for children ages 13 and under, for twins, and users with near-identical siblings. Face ID requires the user to establish a passcode for when facial recognition isn't possible, or after five failed attempts.
To enable face recognition, go to 'Settings' followed by 'Face ID & Passcode.'
Face ID and Secure Enclave
This is a coprocessor (or hardware-based key manager) that physically resides within the application processor package, like the Apple A7 and newer. It is isolated and communicates directly with the parent chip using an interrupt-driven "mailbox" — they also share memory data buffers. Because it's isolated and self-maintaining, it retains its integrity even if iOS or iPadOS are compromised.
According to Apple, it runs a custom version of the company's L4 microkernel (firmware) that's digitally signed by Apple and verified during the hardware boot chain process.
A portion of the neural engine is protected within the Secure Enclave. This AI converts data provided by the TrueDepth platform into mathematical representations. These numbers are encrypted and stored in the file system, as the Secure Enclave's 4MB of storage is only used for 256-bit elliptic curve private keys.
When a file is created on the device, the AES engine generates and uses a new 256-bit "per-file" key to encrypt the data as its written to the flash storage. This key is then encrypted using a class key and stored in the file's metadata, which in turn is encrypted with a random file system key created when iOS or iPadOS was first installed.
The Secure Enclave stores the class key and handles all wrapped file keys, meaning these keys are never revealed to the application processor. On devices that use the Apple File System, the file system metadata key is encrypted using the Secure Enclave's Hardware UID (Unique Identifier) key. The SoC's firmware encrypts all keys stored within the Secure Enclave.
The Secure Enclave is also installed in Apple's T2 chip for Macs supporting Touch ID. Apple said Face ID would eventually carry over to Macs, although no specific timeframe is known. A patent that surfaced in early 2020 indicated that the MacBook Pro and iMac would be the first.