iPhone X FaceID is not really more secure!

[oneMadRssn]

I think what OP is saying, though very inartfully, is that since a device is only as secure as its weakest link, and since the weakest link on all iPhones is the backup passcode, all iPhones are equally secure/insecure (or, no iPhone is more secure than any other iPhone).

 

[EM2013]

What....? Use someone else’s Touch ID device and put your finger on it. It’ll ask for a passcode too.

This thread makes no sense.

 

[casperes1996]

But MOST people would never do that. I bet 90% of codes are 4-6 digits.

This being the case it’s irrelevant how secure FaceID is.

Six digits is the default and you have to confirm twice, maybe even thrice, I can't remember, to make it 4 digits. So it does matter how secure FaceID/TouchID is. Guessing a 4-6 digit code that can't really be brute-forced with the time delays iOS has, even not taking the self-destruct feature into account, is going to take so long that it'd be easier to make a 3D model of your face, and the more precise that 3D model would have to be, the better the whole system. Security isn't about making it impossible to break into something - that itself is an impossible task. It's just about making it more trouble than it's worth. And to guess a 4-6 digit code with up to several hours between each attempt is going to take so many days - years maybe even that it's just not worth the hassle.... And then if you want to get the phone ready to be sold, assuming it's stolen, you need to also guess the AppleID password it's associated with...... Good luck.

 

[MEJHarrison]

Here's a fun story. Totally true.

My girlfriend's daughter got a 6s a few years back. She setup her fingerprints and handed the phone to me. I unlocked it on the first try. Granted, this was nothing but pure dumb luck. It just so happens our fingerprints are close enough to work. Pure coincidence.

Had I tried unlocking her phone with her passcode, I wouldn't have gotten in. Period.

I totally understand this is an odd situation. And you shouldn't draw any conclusions from one outlier data point. With that said, I wouldn't have gotten in with a PIN, while a fingerprint took 0 effort on my part.

 

[casperes1996]

My girlfriend's daughter got a 6s a few years back. She setup her fingerprints and handed the phone to me. I unlocked it on the first try. Granted, this was nothing but pure dumb luck. It just so happens our fingerprints are close enough to work. Pure coincidence.

Sorry this seems very unlikely - did she set it up right? I'm thinking it probably only registered a partial print if that's possible.

 

[Pagemakers]

I think what OP is saying, though very inartfully, is that since a device is only as secure as its weakest link, and since the weakest link on all iPhones is the backup passcode, all iPhones are equally secure/insecure (or, no iPhone is more secure than any other iPhone).

You are 100% correct. Yes it was “inartfully” because it was a drunken discussion in the pub! Regardless, it’s food for thought. It’s irrelevant how secure FaceID is if it can be overridden by a simple passcode.

With that, it’s time for bed and thanks for the banter - and no “code cookies” I’m not a troll. I just have a different opinion to you.

 

[oneMadRssn]

You are 100% correct. Yes it was “inartfully” because it was a drunken discussion in the pub! Regardless, it’s food for thought. It’s irrelevant how secure FaceID is if it can be overridden by a simple passcode.

With that, it’s time for bed and thanks for the banter - and no “code cookies” I’m not a troll. I just have a different opinion to you.

To be fair, it's not like someone can just guess a 4-digit passcode 10,000 times. First, the iphone slows you down after a certain number of wrong guesses. Incidentally, a fun but mischievous prank to pull on your buds at the pub - guess their code wrong 8 times and the iphone locks out completely for 15 minutes. Guess wrong one more time, and it's a 60 minute wait.

Basically, after 10 wrong guesses, the iphone is totally locked out and all data is deleted. Even if the wipe-out feature is disabled, it still takes at least 2h:21m to guess 10 codes. So to get to 10,000, it would take almost 100 days. Not only is guessing for that long totally unreasonable, it's plenty of time for the owner to lock their device remotely using iCloud and Find My iPhone.

So 4-digit passcodes aren't so insecure. Yes, 1 in 10,000 isn't great, but it's plenty considering all the other limitations Apple has put in.

 

[willmtaylor]

Haha. You’re missing the point. 4 digit or 6 digit code is irrelevant.

FaceID was sold to us because it was infinitely more secure than TouchID. We have to agree that TouchID is infinitely more secure than a 4 or 6 digit code. You guys are even laughing at my stupid friend for setting a 4 digit code (like many people) but if FaceID falls back to a 4 or 6 digit code it is no more secure than a 4 or 6 digit code it replaces.

If FaceID 2 is accurate to say only 2 people on planet Earth but a failed login attempt falls back to a 4 or 6 digit code than the entire FaceID security is irrelevant.

Think about it before you reply!

No, they’re laughing at you for making this thread....

 

[44267547]

The thread title “Face ID is not really more secure!” Is rather irrevelant to the OP’s actual argument about the security code and the title is somewhat clickbait.

 

[Gathomblipoob]

Hmmm. Good thing I'm still on a 6s+ using a 6 digit pin code then.

I use a rather lengthy alphanumeric code myself.

 

[csurfr]

Some maths:

a 4 digit password has 10,000 possible combinations
a 6 digit password has 1,000,000 possible combinations

a 8 character alphanumeric (ignoring symbols and capitals for now) has:
(10+26)^8 = 2,821,109,907,456 possible combinations

a 8 character alphanumeric with capitals (no symbols):
(10+26+26)^8 = 218,340,105,584,896 possible combinations

Touch ID has a supposed 1 in 50,000 chance of opening with the wrong finger.

Face ID has a chance of 1 in 1,000,000.
source

So although 4 digit password is statistically easier to guess/break than Touch ID or Face ID, as soon as you set a 6 digit password or alphanumeric password, it stands that the phone is more secure with Face ID than it would be with Touch ID due to Face ID's higher accuracy and the passcode not being the lowest barrier to entry on the phone.

Now this is ignoring all the caveats of Face ID being unlocked by twins etc.

Look at you with all of the fancy numbers. Well done!

I don't know what the OP was expecting Apple to do if FaceID failed other than mentioned above to brick the phone and secure it forever. Here's a thought, just turn on the setting to "Erase all data after 10 failed passcode attempts". Problem solved.

Can you compute the odds of someone being able to correctly guess your 4/6/Alpha passcode in 10 tries? I'd be very curious as to those numbers. Cheers!

 

[MEJHarrison]

Sorry this seems very unlikely - did she set it up right? I'm thinking it probably only registered a partial print if that's possible.

And this is the reply I get every damn time.

Yes, she set it up correctly. 1 in 25,000 (the numbers Apple gave for TouchID) are large odds. I was the 1 out of 25,000. I know it was properly setup because I'd had Touch ID for a while and helped her setup her phone. I'm also a programmer and very tech savvy. So I know what I'm doing. I'm 100% positive it was setup correctly. Don't know what else to say except this really happened.

Oddly enough, she was unable to unlock my phone with her finger. And after that first night, I never tried her phone again.

You're welcome to believe it or not. It's not really important to this conversation.

 

[Phone Junky]

So if we now agree that FaceID is down to convenience. Is it really more convenient than TouchID? If the answer is no then what’s the point?

The point is, the notch, where the FaceID TrueDepth camera is, is smaller vertically wise, than the home button (TouchID). To achieve the near all-screen design, Apple chose FaceID, which did away with the bottom bezel and most of the top bezel.

 

[anitak1982]

We don't have a home phone. I gave my family my security code so if they need to use the phone they can. No biggie to me. I have nothing to hide from my family

 

[raqball]

This thread is pure gold!

 

[Apple_Robert]

But MOST people would never do that. I bet 90% of codes are 4-6 digits.

This being the case it’s irrelevant how secure FaceID is.

I knew I was always the odd one out. I use a 12 digit code

 

[jgelin]

You do realize that touchID is only saying yes, this is a match, and inputting a code into the secure enclave right? FaceID is doing the same thing. You are not onto anything new here...

 

[casperes1996]

And this is the reply I get every damn time.

Yes, she set it up correctly. 1 in 25,000 (the numbers Apple gave for TouchID) are large odds. I was the 1 out of 25,000. I know it was properly setup because I'd had Touch ID for a while and helped her setup her phone. I'm also a programmer and very tech savvy. So I know what I'm doing. I'm 100% positive it was setup correctly. Don't know what else to say except this really happened.

Oddly enough, she was unable to unlock my phone with her finger. And after that first night, I never tried her phone again.

You're welcome to believe it or not. It's not really important to this conversation.

Don't get me wrong, I do believe you - I don't really see any reason to lie about this. As you point out however, the odds are very low, so I investigated a more likely scenario - that it was set up incorrectly. But as Sherlock Holmes would say, once all other options are wrong, the one remaining, no matter how unlikely, must be true. I'm sure you can understand that one assumes user error in the setup process, when the alternative is 1/25,000. By no means an impossible scenario, but more likely to be user error, since I'd imagine that happens a bit more often than 0,004% of the time

With respect to it not working when she tried on your phone, it's likely that it's only a small part of your prints that match and that the sensor is very particular about which parts of your fingers it recognise as "similar enough"

 

[jgelin]

Here's a fun story. Totally true.

My girlfriend's daughter got a 6s a few years back. She setup her fingerprints and handed the phone to me. I unlocked it on the first try. Granted, this was nothing but pure dumb luck. It just so happens our fingerprints are close enough to work. Pure coincidence.

Had I tried unlocking her phone with her passcode, I wouldn't have gotten in. Period.

I totally understand this is an odd situation. And you shouldn't draw any conclusions from one outlier data point. With that said, I wouldn't have gotten in with a PIN, while a fingerprint took 0 effort on my part.

TouchID learns as it goes along, so essentially more secure overtime. Your thumbprint is close enough within the initial threshold to trigger a match. Try it after a few hours of personal use by her and then your attempt will fail. I’d wager if you try again it will deny you.

 

[rugmankc]

I got a headache reading this thread--heading to a "pub"

 

[pastaman321]

Face ID or Touch ID will not prevent a 3rd party from gaining access to a device for data retrieval, it's the pass code that does this (this is what I think the OP was alluding too), Face ID and Touch ID are there for user convenience (pick your poison), the fact that face ID has less chance of being unlocked by a random stranger who is trying to access your facebook profile to troll you is purely for marketing purposes which a lot buy into.

 

[bigjnyc]

If the FBI with all of its resources and hackers couldn’t get this done, and had to pay a company 900k, I feel pretty safe that the average phone thief will not be able to unlock my phone.

 

[Peter K.]

You do realise that you can set as long as complex codes as you want, right? You can make your code "bannanaPumpk1nPIZZA∞∞" if you want. Furthermore, if the code is entered incorrectly you'll have to wait to enter it again, to prevent brute force attack, and optionally 10 incorrect attempts will nuke all data on the device

LOL! I am changing all my passwords to that.

 

[cynics]

I thought was clear that FaceID was more secure than TouchID in their keynote no?

 

[Mr.Blacky]

Face ID is supposed to be more secure than Touch ID.

It’s not.

In fact it’s no more secure than a 4 digit code.

Here’s how...

Pick up your mate's iPhone X. Try to authenticate using FaceID. You can’t. Now look what happens. You simply need to input their security code (could be 4 digits) to gain full access to the phone.

Apple could make FaceID 2 a hundred times more secure in iOS 12 but if it falls back to a 4 digit code it’s irrelevant.

Never thought about it until tonight when a mate demonstrated it to me in the local pub!!!

You're joking, right?
[doublepost=1520666467][/doublepost]

Haha. You’re missing the point. 4 digit or 6 digit code is irrelevant.

FaceID was sold to us because it was infinitely more secure than TouchID. We have to agree that TouchID is infinitely more secure than a 4 or 6 digit code. You guys are even laughing at my stupid friend for setting a 4 digit code (like many people) but if FaceID falls back to a 4 or 6 digit code it is no more secure than a 4 or 6 digit code it replaces.

If FaceID 2 is accurate to say only 2 people on planet Earth but a failed login attempt falls back to a 4 or 6 digit code than the entire FaceID security is irrelevant.

Think about it before you reply!

You are definitely joking, right?!?! You can also enter a pin with Touch ID.
[doublepost=1520666604][/doublepost]

If you could unlock a first edition iPhone with a 4 or 6 digit code and you can do exactly the same with an iPhone X which is the more secure?
[doublepost=1520632418][/doublepost]Why would you make something so secure that there is only 1 in a trillion chance of unlocking the device and when that fails you allow a 4 or 6 digit code.

If you try to unlock my phone with a code, all you'll see is an empty textbox and a standard keyboard. Good luck!