Face ID is not yet entirely secure. Why your brother/sister can probably unlock your phone

face ID

Biometric security authentication has made quite the splash in the smartphone arena the last couple of years. Fingerprint and Face ID/Unlock are two such Biometric features taking centre stage. Face ID is the newer of the two and as such commands a premium over its Fingerprint counterpart. Devices sporting Face ID are comparatively more expensive than those with just a Fingerprint sensor.

There is perhaps no other company that has fronted Face ID as much as Apple has. As such, we will refer a lot to Apple when talking about this biometric security authentication technology. Apple made news when they completely overhauled their security authentication system and in the process got rid of Touch ID (Fingerprint) for Face ID for unlocking your iPhone and making payments. In true Apple fashion, consumers aren’t given the option to choose whether they like a feature or not before it’s given the boot.

Advertisement - Continue reading below

Without a doubt, Face ID and Fingerprint ID are very convenient ways to maintain a level of security on your device. Instead of punching in a number or password every time, or an unlock passcode, you simply either touch the fingerprint sensor or look at your screen. But the questions still linger; is Face ID secure? What of Fingerprint?

How Safe is Face ID Versus Fingerprint/Touch ID

According to Apple, the probability that a random person off the street could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID). As an additional security protection, Face ID for iPhone allows only five unsuccessful match attempts before a passcode is required.

Things get muddy when it gets to twins and siblings though. The statistical probability is different for people that look alike and among children under the age of 13, because their distinct facial features may not have fully developed. My brother whose facial features are vaguely similar to mine managed to unlock 5 separate devices with my Face ID. We are yet to unlock each other’s Fingerprint ID.

From these observations, if somebody snatched your phone, the odds against them unlocking it are high. That ratio of 1 in 50,000 for Fingerprint/Touch ID is hard enough to beat. When it comes to Face ID, the ratio of 1 in a million becomes statistically impossible unless you have a database of the population stowed away somewhere. And even then, there are some caveats.

Clearly, Apple and a few other high-end smartphone manufacturers have their R&D departments burning that midnight oil for cutting-edge technology that won’t be easily beat. The same doesn’t apply to budget handsets that ship with Face ID and Touch ID. At times these have to cut some corners, thereby releasing these features as curiosities without any serious secure technology behind them. Consequently, we wouldn’t place much faith in these biometric security authentication features in lower-end smartphones just yet.

Disclaimers about Face ID


When using Face Recognition to unlock your device, your phone could be unlocked by someone or something that looks like your image. As Face recognition is less secure than Pattern, Pin, or Password, we recommend using the Iris recognition, Fingerprint recognition, Pattern, Pin, or Password to lock the device. Additionally, if you use your face as a screen lock method, your face cannot be used to unlock the screen when turning on the device. Official Samsung S8/S8+ Disclaimer

The statistical probability is different for twins and siblings that look like you and among children under the age of 13, because their distinct facial features may not have fully developed. If you’re concerned about this, we recommend using a passcode to authenticate. AppleAbout Face ID advanced technology


Face ID Privacy Concerns

The likes of Huawei, ZTE and OnePlus have at some point in the past been caught secretly transmitting data from their smartphones back to Chinese servers. These backdoors while not always ominous are a clear signal that security breaches are a clear and present danger.

Apple, which has a rather impressive track record where privacy is concerned has some checks and assurances in place. The iPhone’s TrueDepth camera captures a user’s facial data by projecting 30,000 invisible dots to creates a depth map of the face. This Face ID data is encrypted and protected by the Secure Enclave, which is something akin to a super-secure vault in your device. Any data in the Secure Enclave, which can also include eSIM data and mathematical representation of your face never leaves your device and is not backed up anywhere. Theoretically, that is.

Conversely, security in budget smartphones is meh!  They intentionally never really say how they implement the security features behind Face ID. Where is it stored and What’s to say that the data we so trustingly offer isn’t being transmitted back to their servers? A Secure Enclave is a gold standard when it comes to device security. It’s basically a small portion on your device that is inaccessible mere mortals like you and I. But that’s the sore point. Many OEMs don’t bother adding a Secure Enclave in their SoCs (System on Chips). By design, this security flaw compromises data stored on a device leaving it open to attack.

Face ID/ Fingerprint ID Security Safeguards

To use Face ID as is the case with Touch ID, you must set up a passcode. In a perfect world (and with iPhone), a passcode will be required of you when:

  • The device has just been turned on or restarted.
  • The device hasn’t been unlocked for more than 48 hours.
  • The passcode hasn’t been used to unlock the device in the last six and a half days and Face ID hasn’t unlocked the device in the last 4 hours.
  • The device has received a remote lock command.
  • After five unsuccessful attempts to match a face.
  • After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.
  • If your device is lost or stolen, you can prevent Face ID from being used to unlock your device with Find My iPhone Lost Mode (iPhone)

That’s all well and good and we laud Apple’s implementation of biometric authentication. The same standards, it appears don’t apply to cheap smartphones that are capitalising on the popularity of Face ID. We made a few observations with a $200 smartphone along with 3 more slightly before that price tag. These are our observations in the real world about Face ID.

  • You can have as many tries as you like
  • You don’t have to make eye contact with the phone camera.
  • Subsequently, it can be unlocked when you’re asleep/or closing your eyes
  • The phone can be switched off without authentication but can’t work without passcode after Restart
  • There is no information about the actual technology running Face ID.
  • Limited uses for Face ID other than unlocking the phone.

Last word

Biometric authentic technology is not made to replace a password or PIN on a smartphone. It rather complements those security features already in place. For this reason, you are often not able to unlock your device with either Face ID or Fingerprint/Touch ID when the device starts. Unlike Apple which touts Face ID as the future, Samsung is more pragmatic in their claims. Where’s the joy in having a secure device your family members can unlock with a smile? Defeats the whole purpose of security where Face ID is concerned. Our advice is to take this technology with a grain of salt. The future is here, but not quite.