Does Face ID make the iPhone X more secure? Depends who's asking
Face ID is one of the most attention-grabbing new features of the upcoming iPhone X, but there are serious questions about whether it can keep your device secure.
The feature uses facial biometrics to determine if you’re the authorized owner of the phone. Face ID will replace the Touch ID fingerprint sensor on the phone. Biometrics have been added to phones and tablets in recent years, in part because they’re perceived to be more secure than passcodes.
In reality, whether your fingerprint or face is stronger than your passcode entirely depends on your threat model.
An individual’s threat model is, simply put, a determination of your own vulnerabilities. Knowing the weak points in your defenses and the types of targets who would try to attack you makes it easier to know how to guard against them.
Everyone’s threat model is different. A high school teacher will likely face different threats than someone working from a busy cafe or airport, or than an intelligence agency employee working on classified missions.
In the context of owning a phone, the main focus should be preventing unauthorized access to your data.
Your phone stores some of the most personal things in your life, knowing what your threat model is can determine what kind of security feature you need to prevent the most likely attack.
For the vast majority of Americans, the biggest threat is having your phone stolen by an opportunistic thief in a bar or from a bag or purse. Having a phone that requires the thief to realize the phone is locked, run back and hold up the stolen phone to the owner’s face to gain access to the goods on the device is incredibly unlikely to happen.
You may be without a phone but at least your data is safe.
But others, like reporters, lawyers, or activists, may be subject to different conditions. They could be arrested or detained, either by police or at the border of a foreign country where the law permits a law enforcement officer to search your phone.
Even under US law, an officer with a warrant can force you to depress your fingerprint on the Touch ID sensor to your phone and unlock it in order to carry out a lawful search of your data. The same can be said for an officer can holds up your phone to your face and unlocks it with Face ID. (A fair point: Face ID requires the phone owner to have their eyes open.) These biometric seizures happen more often than you might realize.
But you cannot be legally compelled to unlock a device with a just a passcode. That’s because under the US constitution, the Fifth Amendment protects what’s stored in your head, but not what’s on your body.
Even iOS 11, which lands on the iPhone X, lets you force-activate the passcode.
Most people dismiss being arrested or detained because they think it won’t happen to them. There are false positives in everyday life — including being wrongly arrested. People are wrongly arrested all the time and have their devices searched, and later released without charge. Most people don’t care about their rights until they need them.
Choosing a method of phone unlock is not as simple as just wanting to keep a friend, a partner, a family member — or even a stranger — out of your device. Most people don’t realize that they could, one day, be in a situation where a government (or another government) is trying to get access to your phone.
Is Face ID more secure than a passcode? It depends who you ask.
If it’s a jealous partner who wants to rummage through your text messages, then it’s fairly secure. But if it’s a government wanting to know who you communicate with, then you’re likely tough out of luck.