In the short time since Apple announced its Face ID feature for the iPhone X, we’ve seen a lot of questions about its security compared to a fingerprint or passcode. For example, if you’re arrested, can a police officer just point your phone at your face and unlock it?
Apple has some technical features that might make this harder. The iPhone X isn’t supposed to unlock if your eyes are closed, for example, and since iOS 11 reportedly lets you disable Touch ID on the fly, you might be able to do the same for Face ID. But from a legal perspective, you’re less secure unlocking a phone with your face — or just about any biometric mechanism — than with a passcode.
Your face may be more like a key than a password
As I wrote earlier this year, courts have so far granted different Fifth Amendment protections — which stop police from making you give potentially incriminating testimony — to keycodes and biometric locks. Keycodes are considered “testimonial” evidence based on the contents of your thoughts. But in multiple cases, suspects have been ordered to unlock a phone via fingerprint, under the reasoning that their fingerprint is a piece of physical evidence.
In other words, giving up a phone’s PIN is like giving up the code to a combination lock, which the Fifth Amendment protects. So far, courts have treated your finger more like an ordinary key. Facial recognition hasn’t been tested in this way yet, because it’s still an unusual security feature. But the same arguments will likely apply to your face as your fingerprint.
There are outliers to this policy. One judge blocked a blanket request to let police test fingerprints from everyone in a building, for instance, and passwords aren’t always sacrosanct. Also, if facial scans get more complex — if you need to make a specific, non-obvious facial expression, for example — they could start to seem more explicitly “testimonial.” But memorizing a code will give you a more clearly protected form of security than using either Touch ID or Face ID on their own.
This vulnerability isn’t unique to Face ID or Apple; I originally laid out the problem after Samsung introduced face unlocking in its phones this spring. And as long as it’s easy to switch between Face ID and passcode security, you could mitigate the risk considerably. But it’s one of many factors to weigh if you’re setting up an iPhone X — and unlike more general questions about security and performance, we won’t get more details about it when the phone comes out this fall.