Apple publishes white paper explaining usage and security of iPhone X Face ID

Posted:
in iPhone
Apple has taken steps to educate potential owners of the iPhone X about Face ID ahead of its release on Nov. 3, releasing a white paper alongside a support document that explains how the biometric authentication technology works to keep the user's data secure.




Found within Apple's revamped privacy pages, the Face ID Security white paper gives an overview of how Face ID operates, as well as how users can expect to use the authentication system. Introduced as a replacement for Touch ID in the iPhone X, the six-page document is an attempt to convince wary potential users that Face ID is at least as secure as the well-known Touch ID, and that they have little to fear from the security change.

Along with the white paper, Apple has updated its support pages to include a briefer explanation of the technology and its security.

The overview of FaceID explains simply that the TrueDepth camera system accurately maps the geometry of the user's face using "advanced technologies," which consists of an infrared camera, a 7-megapixel camera sensor, a flood illuminator, and a dot projector. Confirming the attention of the user by detecting the direction of their gaze, Face ID then uses neural networks to match and prevent spoofing attempts to unlock the phone, with the system automatically adapting to changes in the user's appearance over time.

A passcode must be set up on the iPhone X before the user can set up Face ID, with Apple advising the passcode can be made longer and more complex as it will not need to be entered frequently. The passcode will still be requested from users in a number of circumstances, including when the iPhone X has just been turned on or restarted, hasn't been unlocked for more than 48 hours, the device has been remotely locked, after five failed Face ID unlock attempts, and after initiating an Emergency SOS mode.

Users will also be required to use the passcode if it hasn't been used to unlock the iPhone X in the last 156 hours and if Face ID has not been used successfully in the last four hours. When Face ID is enabled, the device will immediately lock when the side button is pressed or when the device goes to sleep, with either the facial match or passcode required to wake the iPhone X each time.

As raised during the September unveiling, it is claimed Face ID has a one in a million chance of being unlocked by a random person looking at the iPhone X, compared to a 1 in 50 thousand false positive chance for Touch ID. The chance of a false match does increase for twins and siblings who bear a similar appearance to one another, as well as for children under the age of 13, which Apple claims is due to the possibility that distinct facial features may not have fully developed, with Apple suggesting to keep using the passcode to authenticate in these cases.




Going into more detail about how the system works, the document explains over 30,000 infrared dots are projected onto the user's face and are read by the TrueDepth camera, with a depth map and 2D infrared image combined to create a sequence of images and depth maps that are digitally signed and stored in the Secure Enclave. For extra security, this sequence is randomized, with the infrared dot pattern also given a device-specific randomization.

A section of the A11 Bionic chip's neural engine, protected within the Secure Enclave, turns this data into a mathematical representation, which is then compared to the enrolled facial data, itself a mathematical representation of the user's face captured during enrollment. An additional neural network, trained to detect spoofing attempts, is also used in the facial data analysis.

There are three types of Face ID data that are encrypted and stored in the Secure Enclave, data which Apple insists does not leave the device, is not sent to Apple, and is not included in device backups. The infrared images and mathematical representations created during enrollment are stored alongside any other mathematical representations calculated during some unlock attempts, if Face ID deems them useful to improve future matching attempts.

This extra stored data is useful to the iPhone X as it provides more reference points for Face ID to authenticate the user, allowing it also to take into account both temporary and longer-term changes in their appearance.

As the neural networks may update over the device's ownership, the iPhone X will be able to automatically run any stored images within the Secure Enclave through the updated neural network. To minimize the amount of background information, the enrollment images are cropped to just the user's face. Face images captured during unlocking are not saved, and are immediately discarded once the mathematical representation has been calculated.




As for daily use outside of unlocking the iPhone X, Apple includes sections explaining how Face ID works with Apple Pay and with third-party apps.

For Apple Pay purchases in stores, users have to confirm intent to pay by a double-tap of the side button, followed by a Face ID authentication, before placing the iPhone X near the contactless reader. Users will have to reauthenticate with Face ID if they change a different Apple Pay payment method, but will not need to tap the button again.

For apps and online purchases, the same double-tap and Face ID authentication process takes place, but if the transaction is not completed within 30 seconds of pressing the side button, users will have to reconfirm their intent to pay by double-clicking a second time.

Third-party apps are able to use Face ID or the passcode to authenticate users using system-provided APIs, with apps that currently support Touch ID automatically supporting Face ID without any changes. These apps cannot access Face ID data, but instead are notified only if the authentication succeeded or failed.

While Apple does stress the Face ID data is only stored on the iPhone X and is not transmitted to the company, it is possible for a user to provide Face ID diagnostic data to AppleCare for support purposes, though not any Face ID data created prior to a support request.

After receiving a digitally signed authorization from Apple, users have to go through the Face ID enrollment again as the original Face ID data is wiped, with the iPhone X then automatically recording Face ID images during authentication attempts for a seven-day period. This specifically-collected data is not automatically sent to Apple, as users have a chance to review and approve the data before it is encrypted and dispatched, then deleted from the iPhone X.

If users using the Face ID diagnostics do not conclude the session, the diagnostic images will be deleted automatically after 90 days. Users can also disable and delete the diagnostic data at any time.

During Apple's September event, executive Craig Federighi's live demonstration of Face ID suffered a mishap where the first iPhone X used failed to authenticate and required a passcode, forcing the presentation to switch to a backup device. After the event, it was revealed Face ID was working as designed, but the company believes it tried to authenticate employees tasked with setting up the demonstration area before the big reveal, using up the limited number of failed authentication attempts.
watto_cobra
«1

Comments

  • Reply 1 of 33

    For Apple Pay purchases in stores, users have to confirm intent to pay by a double-tap of the side button, followed by a Face ID authentication, before placing the iPhone X near the contactless reader. Users will have to reauthenticate with Face ID if they change a different Apple Pay payment method, but will not need to tap the button again.
    "Confirm intent to pay"?

    Currently, when paying with Apple Pay, I simply hold my iPhone near the payment terminal and my credit card is automatically displayed, I confirm my touching my finger to the Home button and that's it.

    With FaceID will I have to hold the iPhone near the payment terminal, then double-tap the side button, then authenticate with my face and then hold the iPhone to the reader again?  This seems like a slightly more cumbersome procedure.  I suppose I could double-tap the side button while pulling the iPhone from my pocket, authenticate and then hold to the reader, but will that work?

    Overall, it doesn't matter terribly as I usually use my Apple Watch for Apple Pay.  However, twice lately (at Big Y) my Apple Watch hasn't been successful and I've had to use my iPhone as a backup.
    repressthis
  • Reply 2 of 33
    wizard69wizard69 Posts: 13,377member
    Now all we need is a white paper on the A11 chip.   Something that reveals the GPOOU architecture, how the AI is handled (the coprocessor) and an overall review of the design.


    iqatedorepressthiswatto_cobra
  • Reply 3 of 33
    calicali Posts: 3,494member

    For Apple Pay purchases in stores, users have to confirm intent to pay by a double-tap of the side button, followed by a Face ID authentication, before placing the iPhone X near the contactless reader. Users will have to reauthenticate with Face ID if they change a different Apple Pay payment method, but will not need to tap the button again.
    "Confirm intent to pay"?

    Currently, when paying with Apple Pay, I simply hold my iPhone near the payment terminal and my credit card is automatically displayed, I confirm my touching my finger to the Home button and that's it.

    With FaceID will I have to hold the iPhone near the payment terminal, then double-tap the side button, then authenticate with my face and then hold the iPhone to the reader again?  This seems like a slightly more cumbersome procedure.  I suppose I could double-tap the side button while pulling the iPhone from my pocket, authenticate and then hold to the reader, but will that work?

    Overall, it doesn't matter terribly as I usually use my Apple Watch for Apple Pay.  However, twice lately (at Big Y) my Apple Watch hasn't been successful and I've had to use my iPhone as a backup.
    Sounds like sh**. I’ve been noticing TouchID more now and yes it’s easier to just look at the screen for locked apps but Apple Pay seems like a pain in comparison. 
    edited September 2017 repressthis
  • Reply 4 of 33
    SendMcjakSendMcjak Posts: 66unconfirmed, member
    "Confirm intent to pay"?

    Currently, when paying with Apple Pay, I simply hold my iPhone near the payment terminal and my credit card is automatically displayed, I confirm my touching my finger to the Home button and that's it.

    With FaceID will I have to hold the iPhone near the payment terminal, then double-tap the side button, then authenticate with my face and then hold the iPhone to the reader again?  This seems like a slightly more cumbersome procedure.  I suppose I could double-tap the side button while pulling the iPhone from my pocket, authenticate and then hold to the reader, but will that work?

    Overall, it doesn't matter terribly as I usually use my Apple Watch for Apple Pay.  However, twice lately (at Big Y) my Apple Watch hasn't been successful and I've had to use my iPhone as a backup.

    Your understanding is incorrect.

    You double-tap the button and simultaneously look at your iPhone X .... FaceID does it's thing, and you're ready to tap the payment terminal.

    It's that easy -- essentially the same experience as using your watch, just with FaceID mixed in (which will be effectively unnoticeable).
    edited September 2017 StrangeDaysappleismymiddlenamejfc1138watto_cobra
  • Reply 5 of 33

    For Apple Pay purchases in stores, users have to confirm intent to pay by a double-tap of the side button, followed by a Face ID authentication, before placing the iPhone X near the contactless reader. Users will have to reauthenticate with Face ID if they change a different Apple Pay payment method, but will not need to tap the button again.
    "Confirm intent to pay"?

    Currently, when paying with Apple Pay, I simply hold my iPhone near the payment terminal and my credit card is automatically displayed, I confirm my touching my finger to the Home button and that's it.

    With FaceID will I have to hold the iPhone near the payment terminal, then double-tap the side button, then authenticate with my face and then hold the iPhone to the reader again?  This seems like a slightly more cumbersome procedure.  I suppose I could double-tap the side button while pulling the iPhone from my pocket, authenticate and then hold to the reader, but will that work?

    Overall, it doesn't matter terribly as I usually use my Apple Watch for Apple Pay.  However, twice lately (at Big Y) my Apple Watch hasn't been successful and I've had to use my iPhone as a backup.
    The "confirm intent to pay" part actually removes the first "touch phone to terminal" part of the TouchID payment flow. With Face ID, the flow sounds like it will be this:

    1. Double-click the lock button. This brings up the wallet and scans your face in the background.
    2. Pick the card you want to use if it is different from the default.
    3. Hold your phone to the terminal.

    With TouchID, the flow is generally this:

    1. Hold your phone to the terminal. This brings up the wallet.
    2. Pick the card you want to use if it is different from the default.
    3. Touch the TouchID sensor to identify and confirm intent.
    4. Hold your phone to the terminal to complete the transaction.

    In Settings > Wallet & Apple Pay, there is an option to bring up the wallet with a double-click on the home button. I don't know if it is on by default, but it is off on my phone and I do not remember changing it. With that, the flow would be like the Face ID flow:

    1. Double-click the home button to bring up the wallet. If you leave your enrolled finger on it, it can scan your finger to verify identity.
    2. Pick the card you want to use if it is different from the default.
    3. Hold your phone to the terminal.
    jfc1138watto_cobra
  • Reply 6 of 33
    "Users will also be required to use the passcode if it hasn't been used to unlock the iPhone X in the last 156 hours and if Face ID has not been used successfully in the last four hours."

    The above is from the article. If I read that right, and please tell me if you think I'm wrong, but isn't that saying if you don't use your phone for four hours you need the passcode? That's ridiculous. Right now I think it's 48 hours then you have to use the passcode if you haven't used the Touch ID. 
  • Reply 7 of 33
    slurpyslurpy Posts: 5,328member
    "Users will also be required to use the passcode if it hasn't been used to unlock the iPhone X in the last 156 hours and if Face ID has not been used successfully in the last four hours."

    The above is from the article. If I read that right, and please tell me if you think I'm wrong, but isn't that saying if you don't use your phone for four hours you need the passcode? That's ridiculous. Right now I think it's 48 hours then you have to use the passcode if you haven't used the Touch ID. 
    Why is that "ridiculous"? There's probably a very tiny percentage of people that don't touch their phone for 4 full straight hrs during the day. And if I need to enter my passcode once per day when I get up, I have no problem with that. 
    sennen
  • Reply 8 of 33
    While I would love deeper technical detail on Face ID, this is an excellent overview. It sounds like one of the best-engineered biometric systems for mass deployment I have ever seen. Randomized per-device dot patterns? That's amazing. I wonder how dissimilar the projected dot patterns are from one another. For example, if I got dot patterns from 100 iPhone X units, what are the chances I would see the same pattern twice? What about the chances of two having 95% of the dots in the same place?

    I wonder what attacks might be possible on the depth mapping. For example, is the depth map built in the TrueDepth module itself? It sounds like it is, and then it is signed and shipped off to the Secure Enclave. If so, forging depth map data could be possible, but would be extremely difficult.
    StrangeDayswatto_cobra
  • Reply 9 of 33
    "Users will also be required to use the passcode if it hasn't been used to unlock the iPhone X in the last 156 hours and if Face ID has not been used successfully in the last four hours."

    The above is from the article. If I read that right, and please tell me if you think I'm wrong, but isn't that saying if you don't use your phone for four hours you need the passcode? That's ridiculous. Right now I think it's 48 hours then you have to use the passcode if you haven't used the Touch ID. 
    The second condition only applies if the first condition is met.

    This means that you'll have to use your passcode to unlock the iPhone once a week even if none of the other conditions are met. The second condition - the 4 hours - means that the iPhone won't force you to enter the passcode (if it hasn't been entered in 6-1/2 days) while you're using it, e.g. in the middle of the day. It will wait until after you haven't used the iPhone for a while, e.g. while you were sleeping, to force you to make your once-a-week passcode entry.
    StrangeDaysradarthekatjfc1138watto_cobra
  • Reply 10 of 33

    For Apple Pay purchases in stores, users have to confirm intent to pay by a double-tap of the side button, followed by a Face ID authentication, before placing the iPhone X near the contactless reader. Users will have to reauthenticate with Face ID if they change a different Apple Pay payment method, but will not need to tap the button again.
    "Confirm intent to pay"?

    Currently, when paying with Apple Pay, I simply hold my iPhone near the payment terminal and my credit card is automatically displayed, I confirm my touching my finger to the Home button and that's it.

    With FaceID will I have to hold the iPhone near the payment terminal, then double-tap the side button, then authenticate with my face and then hold the iPhone to the reader again?  This seems like a slightly more cumbersome procedure.  I suppose I could double-tap the side button while pulling the iPhone from my pocket, authenticate and then hold to the reader, but will that work?

    Overall, it doesn't matter terribly as I usually use my Apple Watch for Apple Pay.  However, twice lately (at Big Y) my Apple Watch hasn't been successful and I've had to use my iPhone as a backup.
    My understanding is that the bold-ed method will work. You don't have to hold the iPhone near the payment terminal before you double tap the side button.

    This still makes using Apple Pay in-store a little less convenient with a Face ID iPhone than it is with a Touch ID iPhone, but it shouldn't be too big a deal. And there has to be some way of confirming that you intend to pay other than just looking at the iPhone. With a Touch ID iPhone, placing your finger over the Touch ID sensor functions to confirm both your identity and your intent to pay.
    edited September 2017 radarthekatwatto_cobra
  • Reply 11 of 33
    gatorguygatorguy Posts: 23,300member
    zimmie said:
    While I would love deeper technical detail on Face ID, this is an excellent overview. It sounds like one of the best-engineered biometric systems for mass deployment I have ever seen. Randomized per-device dot patterns? That's amazing. I wonder how dissimilar the projected dot patterns are from one another. For example, if I got dot patterns from 100 iPhone X units, what are the chances I would see the same pattern twice? What about the chances of two having 95% of the dots in the same place?

    I wonder what attacks might be possible on the depth mapping. For example, is the depth map built in the TrueDepth module itself? It sounds like it is, and then it is signed and shipped off to the Secure Enclave. If so, forging depth map data could be possible, but would be extremely difficult.
    I don't believe it's Apple's intent at least for now to claim that face ID is the end-all and be-all and no one can get into your phone if your face doesn't match. Even within the white paper Apple advises that if you have siblings who closely resemble you or if you have children under the age of 13 that a passcode should be instead because the chances of misidentification is higher. My guess is that's why a passcode needs to be entered at least every 4 hours if your phone goes unused. 

    With Apple making a special point of setting up a system for sorting face ID issues should make it obvious that they are still fine-tuning this. Give it another year and time for Apple to tweak it
  • Reply 12 of 33
    "Users will also be required to use the passcode if it hasn't been used to unlock the iPhone X in the last 156 hours and if Face ID has not been used successfully in the last four hours."

    The above is from the article. If I read that right, and please tell me if you think I'm wrong, but isn't that saying if you don't use your phone for four hours you need the passcode? That's ridiculous. Right now I think it's 48 hours then you have to use the passcode if you haven't used the Touch ID. 
    Nope. It is an "and", not an "or". After 156 hours, it starts the four-hour clock. The idea is to avoid interrupting you in the middle of the workday. If you don't wake and look at your phone for over four hours, you're probably asleep or doing something entirely without your phone.
    jfc1138watto_cobra
  • Reply 13 of 33

    gatorguy said:
    zimmie said:
    While I would love deeper technical detail on Face ID, this is an excellent overview. It sounds like one of the best-engineered biometric systems for mass deployment I have ever seen. Randomized per-device dot patterns? That's amazing. I wonder how dissimilar the projected dot patterns are from one another. For example, if I got dot patterns from 100 iPhone X units, what are the chances I would see the same pattern twice? What about the chances of two having 95% of the dots in the same place?

    I wonder what attacks might be possible on the depth mapping. For example, is the depth map built in the TrueDepth module itself? It sounds like it is, and then it is signed and shipped off to the Secure Enclave. If so, forging depth map data could be possible, but would be extremely difficult.
    I don't believe it's Apple's intent at least for now to claim that face ID is the end-all and be-all and no one can get into your phone if your face doesn't match. Even within the white paper Apple advises that if you have siblings who closely resemble you or if you have children under the age of 13 that a passcode should be instead because the chances of misidentification is higher. My guess is that's why a passcode needs to be entered at least every 4 hours if your phone goes unused. 

    With Apple making a special point of setting up a system for sorting face ID issues should make it obvious that they are still fine-tuning this. Give it another year and time for Apple to tweak it
    I think you are misreading the requirements. The four-hour clock only starts *after* the 156-hour clock runs out.

    I'm thinking more about attacks specifically to pass off false data as true. The dot projector pattern uniqueness is only a partial defense due to the birthday paradox. Still, more layers are always good.

    The mask-rejection network is probably the best place to attack for the foreseeable future. It would be very interesting to see the false-positive and false-negative rates of that recognizer.

    Attacks from within the system are probably limited. To the best of my knowledge, nobody has arbitrary code execution on the Touch ID processor. Face ID will probably be similar in that regard. They just don't need to receive data from anything in the rest of the phone, so input opportunities are limited. Getting the TrueDepth module to execute arbitrary code would almost certainly be required to get it to sign forged depth data.

    I am also very curious about what exactly burns a face recognition attempt. For example, if the phone wakes up in my pocket and sees nothing, does that count as a failure to recognize a face? If it's sitting face-up on my desk and I tap the screen to wake it, but I'm way off to the side and the camera only sees the ceiling, does that count? What if there's a face, but that person isn't looking at the phone (say, a coworker bumps the phone while looking at something else)?
    watto_cobra
  • Reply 14 of 33

    For Apple Pay purchases in stores, users have to confirm intent to pay by a double-tap of the side button, followed by a Face ID authentication, before placing the iPhone X near the contactless reader. Users will have to reauthenticate with Face ID if they change a different Apple Pay payment method, but will not need to tap the button again.
    "Confirm intent to pay"?

    Currently, when paying with Apple Pay, I simply hold my iPhone near the payment terminal and my credit card is automatically displayed, I confirm my touching my finger to the Home button and that's it.

    With FaceID will I have to hold the iPhone near the payment terminal, then double-tap the side button, then authenticate with my face and then hold the iPhone to the reader again?  
    No. It's like this. You are ready to checkout at the store. You:

    - take out phone
    - confirm intent to pay: double-click side button while looking at it in your hand
    - waive at NFC terminal (hoping it's turned on and working)

    Vs with Touch ID:

    - take out phone
    - confirm intent to pay: place finger
    - waive at NFC terminal (hoping it's turned on and working)

    ...the side button double-click and face authentication are simultaneous so it's likely insignificant IRL. Just as with the Watch, double-clicking the side button is no big deal, an action that effectively costs nothing.
    edited September 2017 watto_cobra
  • Reply 15 of 33
    zimmie said:
    "Users will also be required to use the passcode if it hasn't been used to unlock the iPhone X in the last 156 hours and if Face ID has not been used successfully in the last four hours."

    The above is from the article. If I read that right, and please tell me if you think I'm wrong, but isn't that saying if you don't use your phone for four hours you need the passcode? That's ridiculous. Right now I think it's 48 hours then you have to use the passcode if you haven't used the Touch ID. 
    Nope. It is an "and", not an "or". After 156 hours, it starts the four-hour clock. The idea is to avoid interrupting you in the middle of the workday. If you don't wake and look at your phone for over four hours, you're probably asleep or doing something entirely without your phone.
    Gotcha. Thanks that makes a lot more sense
    watto_cobra
  • Reply 16 of 33
    The 156 Hours, to me just says once a week ,you need to enter the pass code, even if you don't restart your phone, or any of the other conditions, which it basically is for me now, I hardly ever run out of juice, but with an update or something there's usually a restart in there somewhere once a week. I am waiting for the X. But the 1 in 1 million argument doesn't seem that high if your factoring in twins or family members who look like. versus touch id , where you would have a different finger print then your twin.
    watto_cobra
  • Reply 17 of 33
    gatorguygatorguy Posts: 23,300member
    The 156 Hours, to me just says once a week ,you need to enter the pass code, even if you don't restart your phone, or any of the other conditions, which it basically is for me now, I hardly ever run out of juice, but with an update or something there's usually a restart in there somewhere once a week. I am waiting for the X. But the 1 in 1 million argument doesn't seem that high if your factoring in twins or family members who look like. versus touch id , where you would have a different finger print then your twin.
    Apple advises it is not as high as 1:1M for twins, siblings with close resemblances, or children 13 or younger, which is why they recommend relying on passcode instead in those situations if keeping your phone private is important to you. In reality I doubt most folks are that anal about it. 
    watto_cobra
  • Reply 18 of 33
    brucemcbrucemc Posts: 1,541member
    Is this enough for Al Franken, or does he need to issue another press release asking for more information...
    radarthekatStrangeDayswatto_cobra
  • Reply 19 of 33
    brucemcbrucemc Posts: 1,541member
    cali said:

    For Apple Pay purchases in stores, users have to confirm intent to pay by a double-tap of the side button, followed by a Face ID authentication, before placing the iPhone X near the contactless reader. Users will have to reauthenticate with Face ID if they change a different Apple Pay payment method, but will not need to tap the button again.
    "Confirm intent to pay"?

    Currently, when paying with Apple Pay, I simply hold my iPhone near the payment terminal and my credit card is automatically displayed, I confirm my touching my finger to the Home button and that's it.

    With FaceID will I have to hold the iPhone near the payment terminal, then double-tap the side button, then authenticate with my face and then hold the iPhone to the reader again?  This seems like a slightly more cumbersome procedure.  I suppose I could double-tap the side button while pulling the iPhone from my pocket, authenticate and then hold to the reader, but will that work?

    Overall, it doesn't matter terribly as I usually use my Apple Watch for Apple Pay.  However, twice lately (at Big Y) my Apple Watch hasn't been successful and I've had to use my iPhone as a backup.
    Sounds like sh**. I’ve been noticing TouchID more now and yes it’s easier to just look at the screen for locked apps but Apple Pay seems like a pain in comparison. 
    Immediate reaction after glancing at a comment on an article not read "...Fucking Apple implementation is shit...."

    ...Or you could wait and try it before you condemn it, but where is the troll glory in that...
    roundaboutnowradarthekatjfc1138StrangeDayswatto_cobra
  • Reply 20 of 33
    The 156 Hours, to me just says once a week ,you need to enter the pass code, even if you don't restart your phone, or any of the other conditions, which it basically is for me now, I hardly ever run out of juice, but with an update or something there's usually a restart in there somewhere once a week. I am waiting for the X. But the 1 in 1 million argument doesn't seem that high if your factoring in twins or family members who look like. versus touch id , where you would have a different finger print then your twin.
    There haven't really been any broad studies on fingerprint similarity. All of the ones I've read rely on the birthday paradox to test a relatively small number of people and extrapolate that they probably would have seen collisions if collisions were common. The birthday paradox results in a probability, though. There's a chance they happened to sample a collection of people who don't have colliding fingerprints.

    To the best of my knowledge, there have been no serious studies at all of fingerprint fragment similarity. Touch ID only looks at a section (about a 1/4" by 1/4") of your fingerprint at a time. It is meant to be orientation-insensitive and it has no knowledge of which finger is which. It also matches the section against a larger sample of your fingerprint internally. Finally, it has no idea which fingers it knows or which fingers are being presented to it. All of these dramatically increase the probability of collisions.

    If someone's left ring finger rotated 70º has the same pattern as part of your right thumb, Touch ID can't tell the difference. We don't know how likely it is for a set of identical twins to have overlapping fingerprint fragments.
Sign In or Register to comment.