Is Apple’s Face ID Strong Enough for Identity Proofing?

Face ID was added to most smartphones in 2017. The revolutionary technology largely replaced iPhones’ TouchID software and added an extra layer of security to Apple smartphone devices. The two-layer security combination of Face ID and Passcode keeps iPhones more secure than traditional facial recognition done by a simple 2D front-facing camera.

But Face ID is doing more than just unlocking smartphones. The technology is also used to authorize online transactions on most Apple devices — and it’s raised some safety and security concerns.

Let’s explore how Face ID works and whether or not it’s a strong enough tool for securing devices against hackers.

Apple uses TrueDepth camera, a facial scanning tool, in each of its iPhones. This Face ID technology uses an infrared camera system to scan a user’s face and create a depth map composed of up to 30,000 individual dots invisible to the human eye.

Apple’s face-scanning technology focuses primarily on the eyes, nose and mouth. It also uses liveness detection to gauge whether a user’s eyes are open and looking directly at the device. If the user is lying down, squinting, or has their eyes closed, Face ID won’t register them as a true user.

Apple stores a mathematical representation of your face locally on your device. Data is never backed up to the cloud, so your biometric information isn’t at risk of being stolen or breached.

Security Issues With Apple Facial Recognition

In the early days of Apple’s Face ID, users were able to fool the facial recognition software with simple tricks. The iPhone X, which launched in 2017 and was the first product to feature Face I D, could be fooled with masks, identical twins and even children.

But Apple’s Face ID technology has come a long way in the last few years. While the technology isn’t perfect, the software doesn’t fall for the same rudimentary hacking methods that it once did.

Can Face ID Unlock Your Phone with a Picture?

A picture isn’t enough to unlock an Apple device with Face ID. The software uses advanced 3D mapping sensors to verify facial features, which won’t work on a 2D photograph.

The Facial Recognition Difference Maker: Liveness Detection

The real security of facial recognition technology comes from the ability to tell the difference between an image of someone’s face (like a photograph) and the real thing. This is known as liveness detection.

Apple’s 3D TrueDepth camera uses depth information to identify and characterize a face. A 2D photo or print image won’t have those same depth indicators, so Face ID won’t recognize the face features.

Other facial recognition tools that use 2D cameras may require an additional liveness challenge or test, such as moving the eyes or turning the head, to verify that the user is a real person and not a photograph.

Apple’s Face ID is also attention-aware, meaning the user needs to be looking at the device to be approved. This prevents someone from accessing a device while the user is asleep or distracted.

Generative AI Guide: How to Protect Your Business in the Golden Age of Fraud and Misinformation

Identity Proofing vs. Biometric Authentication: Time to Raise the Bar

While Apple’s Face ID provides a user-friendly and familiar way to access accounts and make online purchases, it doesn’t actually validate that the user is who they claim to be.

A Face ID map is connected to an Apple ID, which can be created with any email address. A fraudster can create an Apple ID using illegitimate credentials, such as a stolen credit card, to make online purchases and buy digital goods.

To prevent application fraud, companies need to do more to confirm a customer’s digital identity. Biometric-based identity verification can provide the same ease of use as Apple’s Face ID while implementing extra layers of security.

Face ID vs. Biometric-Based Identity Verification: What’s the Difference?

Biometric-based identity verification software compares the user’s selfie to a government-issued photo ID and then uses a biometric template to authenticate the user each time they return to the platform. Here’s how it works:

  • A new user creates an account and takes a picture of an approved ID.
  • The user is prompted to take a corroborating selfie, which is matched to the ID photo in real time.
  • A baseline biometric template is created and attached to the user’s account.
  • Each time future authentication is required, the user takes a fresh selfie to be matched with the biometric template on file.

The initial ID verification process acts as a trust anchor, confirming crucial information like name, birth date and address match the user in the selfie.

Frequently Asked Questions

How does Face ID work in the dark?

Advanced facial recognition systems often work in the dark, thanks to the device’s neural networks. Your device will illuminate the whole face using an invisible infrared flash module, allowing the device to securely verify the user’s face in the dark.

Is it possible to hack face recognition?

Face recognition relies on sophisticated algorithms and a Secure Enclave for protection. While no system is entirely hack-proof, Apple continuously updates iOS to enhance security, making it highly challenging to hack Face ID.

What phones can be unlocked by photos?

Several devices have been tested and can be unlocked by a photo in their older models. For example, the following Android phones have been found by many testers including the Dutch Consumer Association to be easily spoofed:

  • Samsung Galaxy S9 and S9+
  • Samsung Galaxy Note 8
  • OnePlus 6
  • Huawei P20
  • Xiaomi Mi 7

Does your Face ID get stored in iCloud?

No, Face ID data is not stored in iCloud. Face ID data is stored locally on the device and is not backed up to iCloud. When you set up Face ID, the data is encrypted and securely stored in the device’s Secure Enclave, which is a special hardware component that provides an extra layer of security.

Can you disable Face ID?

Yes, users can disable Face ID on their Apple devices. While users have control over enabling or disabling Face ID based on their preferences, it is not generally recommended. There are still some security issues with Face ID technology, but it is an added layer of security that allows you to keep your digital identity safe.

What Apple devices work with Face ID?

Face ID is available on most Apple devices, including the most recent iPhone, iPad Pro, Apple Watch and more. However, Face ID is not yet available on Macs. While the technology is underway, we still don’t know when to expect facial recognition technology on Apple’s laptops and desktop computers.

Stay Secure With Jumio’s Face-Based Biometric Identification

While Apple’s Face ID strengthens smartphone security, the technology is still not perfect. Users may still face security threats to their devices with spoofing techniques. While it is not possible to unlock an iPhone with a photo, there are still other ways to circumvent the Face ID process.

For proactive security, businesses should explore Jumio’s innovative online identity verification. Integrating face-based biometrics, Jumio provides a comprehensive solution addressing Face ID limitations and enhancing security, enabling seamless transactions across devices. Jumio’s face-based biometric technology stands as a reliable alternative in the evolving biometric security landscape.


Originally published June 17, 2019


Get the latest updates from the Identity and Beyond blog, delivered to your inbox.

Error: Invalid action URL is detected.

Yes, I would like to receive periodic updates from the Jumio blog as well as marketing communications regarding Jumio products, services, and events. I can unsubscribe at any time.

Jumio values your privacy. To learn more, visit our Privacy Statement.