iPhone X Face ID spills secrets as Apple talks security

With the iPhone X on the horizon, and plenty of questions about how Face ID will hold up, Apple has relaunched its privacy site and released a white paper about the facial recognition system. Announced at Apple's iPhone event earlier this month, Face ID relies on the iPhone X's TrueDepth Camera, the cluster of new sensors that occupies much of the controversial "notch" at the top of the smartphone's OLED screen. Since it completely replaces Touch ID, there have been questions all the way up to the government about just how safe and secure it might be.

Apple's white paper retreads some old ground covered during the iPhone X launch event. For instance, the likelihood of Face ID mistaking you for someone else is approximately 1 in a million, Apple says. In contrast, it's 1 in 50,000 for Touch ID. There's also a warning for those people with identical twins. "The probability of a false match is different for twins and siblings that look like you as well as among children under the age of 13, because their distinct facial features may not have fully developed," Apple points out. "If you're concerned about this, we recommend using a passcode to authenticate."

As Touch ID does with fingerprints, Face ID and the TrueDepth camera don't actually store an image of your face. Instead, after scanning they create a mathematical representation based on infrared images. Those images, the representations they're used to generate, and "mathematical representations of your face calculated during some unlock attempts if Face ID deems them useful to augment future matching" are saved locally, in the Secure Enclave on the iPhone X.

That data never gets uploaded to the cloud, saved off-device even in backups, or is shared with Apple. Over time, Face ID can update its math based on the changes of the user's facial features: so, if you're growing a beard, it should be able to keep pace and still recognize you. It's smart about how it handles unlock failure, too. If the system doesn't recognize you, but you then punch in your PIN or passcode correctly straight away, Face ID will capture your face again and use that data to update the model it's keeping.

Importantly, for apps which currently use Touch ID for authentication – such as mobile banking and more – Face ID will slot in there in its place with no coding changes required. Apps don't get access to facial scans or any of the data in the Secure Enclave. All they receive is confirmation of whether the person using the software is authenticated or not.

There's a lot more in Apple's white paper, but the long and short of it is that Face ID is, at its core, handled much like Touch ID has been for the past few generations of iPhone. That has obvious benefits for developers, in addition to positive security implications for users. It also means that, when the TrueDepth Cameras are available in sufficient numbers – a factor which is believed to be holding up iPhone X production – it shouldn't be too great an issue to spread Face ID to other platforms like future MacBooks and more.

MORE Apple