Apple publishes white paper explaining usage and security of iPhone X Face ID
Apple has taken steps to educate potential owners of the iPhone X about Face ID ahead of its release on Nov. 3, releasing a white paper alongside a support document that explains how the biometric authentication technology works to keep the user's data secure.
Found within Apple's revamped privacy pages, the Face ID Security white paper gives an overview of how Face ID operates, as well as how users can expect to use the authentication system. Introduced as a replacement for Touch ID in the iPhone X, the six-page document is an attempt to convince wary potential users that Face ID is at least as secure as the well-known Touch ID, and that they have little to fear from the security change.
Along with the white paper, Apple has updated its support pages to include a briefer explanation of the technology and its security.
The overview of FaceID explains simply that the TrueDepth camera system accurately maps the geometry of the user's face using "advanced technologies," which consists of an infrared camera, a 7-megapixel camera sensor, a flood illuminator, and a dot projector. Confirming the attention of the user by detecting the direction of their gaze, Face ID then uses neural networks to match and prevent spoofing attempts to unlock the phone, with the system automatically adapting to changes in the user's appearance over time.
A passcode must be set up on the iPhone X before the user can set up Face ID, with Apple advising the passcode can be made longer and more complex as it will not need to be entered frequently. The passcode will still be requested from users in a number of circumstances, including when the iPhone X has just been turned on or restarted, hasn't been unlocked for more than 48 hours, the device has been remotely locked, after five failed Face ID unlock attempts, and after initiating an Emergency SOS mode.
Users will also be required to use the passcode if it hasn't been used to unlock the iPhone X in the last 156 hours and if Face ID has not been used successfully in the last four hours. When Face ID is enabled, the device will immediately lock when the side button is pressed or when the device goes to sleep, with either the facial match or passcode required to wake the iPhone X each time.
As raised during the September unveiling, it is claimed Face ID has a one in a million chance of being unlocked by a random person looking at the iPhone X, compared to a 1 in 50 thousand false positive chance for Touch ID. The chance of a false match does increase for twins and siblings who bear a similar appearance to one another, as well as for children under the age of 13, which Apple claims is due to the possibility that distinct facial features may not have fully developed, with Apple suggesting to keep using the passcode to authenticate in these cases.
Going into more detail about how the system works, the document explains over 30,000 infrared dots are projected onto the user's face and are read by the TrueDepth camera, with a depth map and 2D infrared image combined to create a sequence of images and depth maps that are digitally signed and stored in the Secure Enclave. For extra security, this sequence is randomized, with the infrared dot pattern also given a device-specific randomization.
A section of the A11 Bionic chip's neural engine, protected within the Secure Enclave, turns this data into a mathematical representation, which is then compared to the enrolled facial data, itself a mathematical representation of the user's face captured during enrollment. An additional neural network, trained to detect spoofing attempts, is also used in the facial data analysis.
There are three types of Face ID data that are encrypted and stored in the Secure Enclave, data which Apple insists does not leave the device, is not sent to Apple, and is not included in device backups. The infrared images and mathematical representations created during enrollment are stored alongside any other mathematical representations calculated during some unlock attempts, if Face ID deems them useful to improve future matching attempts.
This extra stored data is useful to the iPhone X as it provides more reference points for Face ID to authenticate the user, allowing it also to take into account both temporary and longer-term changes in their appearance.
As the neural networks may update over the device's ownership, the iPhone X will be able to automatically run any stored images within the Secure Enclave through the updated neural network. To minimize the amount of background information, the enrollment images are cropped to just the user's face. Face images captured during unlocking are not saved, and are immediately discarded once the mathematical representation has been calculated.
As for daily use outside of unlocking the iPhone X, Apple includes sections explaining how Face ID works with Apple Pay and with third-party apps.
For Apple Pay purchases in stores, users have to confirm intent to pay by a double-tap of the side button, followed by a Face ID authentication, before placing the iPhone X near the contactless reader. Users will have to reauthenticate with Face ID if they change a different Apple Pay payment method, but will not need to tap the button again.
For apps and online purchases, the same double-tap and Face ID authentication process takes place, but if the transaction is not completed within 30 seconds of pressing the side button, users will have to reconfirm their intent to pay by double-clicking a second time.
Third-party apps are able to use Face ID or the passcode to authenticate users using system-provided APIs, with apps that currently support Touch ID automatically supporting Face ID without any changes. These apps cannot access Face ID data, but instead are notified only if the authentication succeeded or failed.
While Apple does stress the Face ID data is only stored on the iPhone X and is not transmitted to the company, it is possible for a user to provide Face ID diagnostic data to AppleCare for support purposes, though not any Face ID data created prior to a support request.
After receiving a digitally signed authorization from Apple, users have to go through the Face ID enrollment again as the original Face ID data is wiped, with the iPhone X then automatically recording Face ID images during authentication attempts for a seven-day period. This specifically-collected data is not automatically sent to Apple, as users have a chance to review and approve the data before it is encrypted and dispatched, then deleted from the iPhone X.
If users using the Face ID diagnostics do not conclude the session, the diagnostic images will be deleted automatically after 90 days. Users can also disable and delete the diagnostic data at any time.
During Apple's September event, executive Craig Federighi's live demonstration of Face ID suffered a mishap where the first iPhone X used failed to authenticate and required a passcode, forcing the presentation to switch to a backup device. After the event, it was revealed Face ID was working as designed, but the company believes it tried to authenticate employees tasked with setting up the demonstration area before the big reveal, using up the limited number of failed authentication attempts.
Found within Apple's revamped privacy pages, the Face ID Security white paper gives an overview of how Face ID operates, as well as how users can expect to use the authentication system. Introduced as a replacement for Touch ID in the iPhone X, the six-page document is an attempt to convince wary potential users that Face ID is at least as secure as the well-known Touch ID, and that they have little to fear from the security change.
Along with the white paper, Apple has updated its support pages to include a briefer explanation of the technology and its security.
The overview of FaceID explains simply that the TrueDepth camera system accurately maps the geometry of the user's face using "advanced technologies," which consists of an infrared camera, a 7-megapixel camera sensor, a flood illuminator, and a dot projector. Confirming the attention of the user by detecting the direction of their gaze, Face ID then uses neural networks to match and prevent spoofing attempts to unlock the phone, with the system automatically adapting to changes in the user's appearance over time.
A passcode must be set up on the iPhone X before the user can set up Face ID, with Apple advising the passcode can be made longer and more complex as it will not need to be entered frequently. The passcode will still be requested from users in a number of circumstances, including when the iPhone X has just been turned on or restarted, hasn't been unlocked for more than 48 hours, the device has been remotely locked, after five failed Face ID unlock attempts, and after initiating an Emergency SOS mode.
Users will also be required to use the passcode if it hasn't been used to unlock the iPhone X in the last 156 hours and if Face ID has not been used successfully in the last four hours. When Face ID is enabled, the device will immediately lock when the side button is pressed or when the device goes to sleep, with either the facial match or passcode required to wake the iPhone X each time.
As raised during the September unveiling, it is claimed Face ID has a one in a million chance of being unlocked by a random person looking at the iPhone X, compared to a 1 in 50 thousand false positive chance for Touch ID. The chance of a false match does increase for twins and siblings who bear a similar appearance to one another, as well as for children under the age of 13, which Apple claims is due to the possibility that distinct facial features may not have fully developed, with Apple suggesting to keep using the passcode to authenticate in these cases.
Going into more detail about how the system works, the document explains over 30,000 infrared dots are projected onto the user's face and are read by the TrueDepth camera, with a depth map and 2D infrared image combined to create a sequence of images and depth maps that are digitally signed and stored in the Secure Enclave. For extra security, this sequence is randomized, with the infrared dot pattern also given a device-specific randomization.
A section of the A11 Bionic chip's neural engine, protected within the Secure Enclave, turns this data into a mathematical representation, which is then compared to the enrolled facial data, itself a mathematical representation of the user's face captured during enrollment. An additional neural network, trained to detect spoofing attempts, is also used in the facial data analysis.
There are three types of Face ID data that are encrypted and stored in the Secure Enclave, data which Apple insists does not leave the device, is not sent to Apple, and is not included in device backups. The infrared images and mathematical representations created during enrollment are stored alongside any other mathematical representations calculated during some unlock attempts, if Face ID deems them useful to improve future matching attempts.
This extra stored data is useful to the iPhone X as it provides more reference points for Face ID to authenticate the user, allowing it also to take into account both temporary and longer-term changes in their appearance.
As the neural networks may update over the device's ownership, the iPhone X will be able to automatically run any stored images within the Secure Enclave through the updated neural network. To minimize the amount of background information, the enrollment images are cropped to just the user's face. Face images captured during unlocking are not saved, and are immediately discarded once the mathematical representation has been calculated.
As for daily use outside of unlocking the iPhone X, Apple includes sections explaining how Face ID works with Apple Pay and with third-party apps.
For Apple Pay purchases in stores, users have to confirm intent to pay by a double-tap of the side button, followed by a Face ID authentication, before placing the iPhone X near the contactless reader. Users will have to reauthenticate with Face ID if they change a different Apple Pay payment method, but will not need to tap the button again.
For apps and online purchases, the same double-tap and Face ID authentication process takes place, but if the transaction is not completed within 30 seconds of pressing the side button, users will have to reconfirm their intent to pay by double-clicking a second time.
Third-party apps are able to use Face ID or the passcode to authenticate users using system-provided APIs, with apps that currently support Touch ID automatically supporting Face ID without any changes. These apps cannot access Face ID data, but instead are notified only if the authentication succeeded or failed.
While Apple does stress the Face ID data is only stored on the iPhone X and is not transmitted to the company, it is possible for a user to provide Face ID diagnostic data to AppleCare for support purposes, though not any Face ID data created prior to a support request.
After receiving a digitally signed authorization from Apple, users have to go through the Face ID enrollment again as the original Face ID data is wiped, with the iPhone X then automatically recording Face ID images during authentication attempts for a seven-day period. This specifically-collected data is not automatically sent to Apple, as users have a chance to review and approve the data before it is encrypted and dispatched, then deleted from the iPhone X.
If users using the Face ID diagnostics do not conclude the session, the diagnostic images will be deleted automatically after 90 days. Users can also disable and delete the diagnostic data at any time.
During Apple's September event, executive Craig Federighi's live demonstration of Face ID suffered a mishap where the first iPhone X used failed to authenticate and required a passcode, forcing the presentation to switch to a backup device. After the event, it was revealed Face ID was working as designed, but the company believes it tried to authenticate employees tasked with setting up the demonstration area before the big reveal, using up the limited number of failed authentication attempts.
Comments
Currently, when paying with Apple Pay, I simply hold my iPhone near the payment terminal and my credit card is automatically displayed, I confirm my touching my finger to the Home button and that's it.
With FaceID will I have to hold the iPhone near the payment terminal, then double-tap the side button, then authenticate with my face and then hold the iPhone to the reader again? This seems like a slightly more cumbersome procedure. I suppose I could double-tap the side button while pulling the iPhone from my pocket, authenticate and then hold to the reader, but will that work?
Overall, it doesn't matter terribly as I usually use my Apple Watch for Apple Pay. However, twice lately (at Big Y) my Apple Watch hasn't been successful and I've had to use my iPhone as a backup.
Your understanding is incorrect.
You double-tap the button and simultaneously look at your iPhone X .... FaceID does it's thing, and you're ready to tap the payment terminal.
It's that easy -- essentially the same experience as using your watch, just with FaceID mixed in (which will be effectively unnoticeable).
1. Double-click the lock button. This brings up the wallet and scans your face in the background.
2. Pick the card you want to use if it is different from the default.
3. Hold your phone to the terminal.
With TouchID, the flow is generally this:
1. Hold your phone to the terminal. This brings up the wallet.
2. Pick the card you want to use if it is different from the default.
3. Touch the TouchID sensor to identify and confirm intent.
4. Hold your phone to the terminal to complete the transaction.
In Settings > Wallet & Apple Pay, there is an option to bring up the wallet with a double-click on the home button. I don't know if it is on by default, but it is off on my phone and I do not remember changing it. With that, the flow would be like the Face ID flow:
1. Double-click the home button to bring up the wallet. If you leave your enrolled finger on it, it can scan your finger to verify identity.
2. Pick the card you want to use if it is different from the default.
3. Hold your phone to the terminal.
The above is from the article. If I read that right, and please tell me if you think I'm wrong, but isn't that saying if you don't use your phone for four hours you need the passcode? That's ridiculous. Right now I think it's 48 hours then you have to use the passcode if you haven't used the Touch ID.
I wonder what attacks might be possible on the depth mapping. For example, is the depth map built in the TrueDepth module itself? It sounds like it is, and then it is signed and shipped off to the Secure Enclave. If so, forging depth map data could be possible, but would be extremely difficult.
This means that you'll have to use your passcode to unlock the iPhone once a week even if none of the other conditions are met. The second condition - the 4 hours - means that the iPhone won't force you to enter the passcode (if it hasn't been entered in 6-1/2 days) while you're using it, e.g. in the middle of the day. It will wait until after you haven't used the iPhone for a while, e.g. while you were sleeping, to force you to make your once-a-week passcode entry.
This still makes using Apple Pay in-store a little less convenient with a Face ID iPhone than it is with a Touch ID iPhone, but it shouldn't be too big a deal. And there has to be some way of confirming that you intend to pay other than just looking at the iPhone. With a Touch ID iPhone, placing your finger over the Touch ID sensor functions to confirm both your identity and your intent to pay.
With Apple making a special point of setting up a system for sorting face ID issues should make it obvious that they are still fine-tuning this. Give it another year and time for Apple to tweak it
I think you are misreading the requirements. The four-hour clock only starts *after* the 156-hour clock runs out.
I'm thinking more about attacks specifically to pass off false data as true. The dot projector pattern uniqueness is only a partial defense due to the birthday paradox. Still, more layers are always good.
The mask-rejection network is probably the best place to attack for the foreseeable future. It would be very interesting to see the false-positive and false-negative rates of that recognizer.
Attacks from within the system are probably limited. To the best of my knowledge, nobody has arbitrary code execution on the Touch ID processor. Face ID will probably be similar in that regard. They just don't need to receive data from anything in the rest of the phone, so input opportunities are limited. Getting the TrueDepth module to execute arbitrary code would almost certainly be required to get it to sign forged depth data.
I am also very curious about what exactly burns a face recognition attempt. For example, if the phone wakes up in my pocket and sees nothing, does that count as a failure to recognize a face? If it's sitting face-up on my desk and I tap the screen to wake it, but I'm way off to the side and the camera only sees the ceiling, does that count? What if there's a face, but that person isn't looking at the phone (say, a coworker bumps the phone while looking at something else)?
- take out phone
- confirm intent to pay: double-click side button while looking at it in your hand
- waive at NFC terminal (hoping it's turned on and working)
Vs with Touch ID:
- take out phone
- confirm intent to pay: place finger
- waive at NFC terminal (hoping it's turned on and working)
...the side button double-click and face authentication are simultaneous so it's likely insignificant IRL. Just as with the Watch, double-clicking the side button is no big deal, an action that effectively costs nothing.
...Or you could wait and try it before you condemn it, but where is the troll glory in that...
To the best of my knowledge, there have been no serious studies at all of fingerprint fragment similarity. Touch ID only looks at a section (about a 1/4" by 1/4") of your fingerprint at a time. It is meant to be orientation-insensitive and it has no knowledge of which finger is which. It also matches the section against a larger sample of your fingerprint internally. Finally, it has no idea which fingers it knows or which fingers are being presented to it. All of these dramatically increase the probability of collisions.
If someone's left ring finger rotated 70º has the same pattern as part of your right thumb, Touch ID can't tell the difference. We don't know how likely it is for a set of identical twins to have overlapping fingerprint fragments.