Conventional wisdom says that Face ID is more secure than Touch ID. But you may want to re-think if this applies to you.
Now, let us look at what the conventional wisdom says. According to Apple’s Face ID Security Guide, it says that the chances of a random person unlocking your iOS device using Face ID are 1 in a million (exceptions apply for twins, siblings and children under the age of 13). On the other hand, the chances are 1 in 50,000 for Touch ID. So, based on statistical probability, Face ID is 20 times more secure than Touch ID.
Let us look at security at the practical level. For Touch ID, if you are asleep or unconscious (or dead?), someone can unlock your iOS device by applying your thumb on the fingerprint scanner. There is a true case where a young child accrued huge spending on the App Store by using his sleeping parent’s fingerprint on his iPhone! You cannot try this trick with Face ID. As Apple explained,
Face ID is even attention-aware. It recognizes if your eyes are open and your attention is directed towards the device. This makes it more difficult for someone to unlock your device without your knowledge (such as when you are sleeping).
And also, a high-resolution photo of your face cannot fool Face ID.
So, we have established the case for conventional wisdom. But what about the unconventional scenario?
Let’s say a hacker makes a high-quality 3D-printed model of your face. Can that model fool Face ID? Upon reading Apple’s Face ID Security Guide, there is nothing to suggest that Face ID cannot be fooled by a model of your face. As far as we know publicly, no one has tried it yet. So, it is a big unknown.
But pundits will counter by asking who will go to the extent of making a 3D-printed model of your face in the first place?
But make no mistake about this: today, there exists technology where a 3D mathematical representation of your face can be generated from a 2D photo of your face.
So, do you have a portrait photo of your face in LinkedIn? Or let’s say you are sort of a public figure, where photos of your face taken from various angles are found all over the Internet. If a hacker collects all these publicly available photos, will it be enough for him to feed into a software to generate a 3D mathematical representation of your face? If a 3D mathematical representation of your face exists, then a 3D printer can produce a physical model of your face. Can Face ID be fooled by a 3D model of your face?
Pundits may counter that this is the same problem as Touch ID. You can google many cases where Touch ID are being fooled. But there is one major practical security difference between Touch ID and Face ID. To steal your fingerprint, the hacker has to go to where you are located physically. But for Face ID, if photos of your face are all over the Internet, the hacker can do that remotely.
So, to sum it up, if you are sort of a public figure, you may want to re-consider using Face ID.