Face ID hacked, but you probably shouldn’t abandon it yet

Editor's note (2026-05-11): finished from a draft started in November 2017, a few weeks after the iPhone X launch. Treated as a period piece — context, links and conclusions reflect what we knew at the end of 2017.

There are two interesting stories. One comes from Wired, where a 10-year old being able to unlock his mother's phone. The other comes from Bkav; a Vietnamese security research firm.

A very good analysis with some great questions at Ars Technica.

Apple's About Face ID has some intersting information:

The probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID). As an additional protection, Face ID allows only five unsuccessful match attempts before a passcode is required. The statistical probability is different for twins and siblings that look like you and among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate.

Emphasis mine. This quite explicitly states that probability of a successful unlock by a relative is higher than 1 in 1,000,000. The more interesting bits come from Apple's Face ID whitepaper:

To improve unlock performance and keep pace with the natural changes of your face and look, Face ID augments its stored mathematical representation over time.

This makes sense for Face ID to work when you grow facial hair, put on some make up, or wear glasses.

Upon successful unlock, Face ID may use the newly calculated mathematical representation — if its quality is sufficient — for a finite number of additional unlocks before that data is discarded.

I'm not sure what to make of this paragraph. If it was a successful Face ID unlock, what's the purpose of storing it for a finite number of additional unlocks? Wouldn't it mean that if someone happens to fool Face ID once, they're more likely to fool it again? On the other hand, this is of course an unlikely scenario; most people's phones will be used by them in countless lighting conditions, with their faces changing slightly for a short period; wearing glasses, five o'clock shadow, make-up, etc.

Conversely, if Face ID fails to recognize you, but the match quality is higher than a certain threshold and you immediately follow the failure by entering your passcode, Face ID takes another capture and augments its enrolled Face ID data with the newly calculated mathematical representation. This new Face ID data is discarded after a finite number of unlocks and if you stop matching against it. These augmentation processes allow Face ID to keep up with dramatic changes in your facial hair or makeup use, while minimizing false acceptance.

Every time a PIN is entered after a rejected face, Face ID is designed to treat that scan as a misfire, correcting itself so that it becomes more accurate over time. If those siblings entered a PIN after the wrong sibling's face was rejected by Face ID, the system would have learned his features.

The uncomfortable part of the WIRED story is not that Face ID rejected the 10-year-old and then gradually learned from its mistake.

It is uncomfortable because it suggests the opposite: the child was being accepted as a false match.

In the reported case, the mother enrolled Face ID, and her 10-year-old son was then able to unlock the phone. After she re-enrolled her face, he could no longer get in. But when she enrolled again under similar indoor, nighttime conditions, the problem returned. After several successful unlocks, it appeared to become consistent.

That distinction matters.

If Face ID rejects you, then asks for the passcode, and you successfully enter it, the system can use that as a signal that the failed face may still belong to the owner. That is useful when you grow a beard, change glasses, wear makeup, or age.

But if a similar-looking child is accepted as "you" from the beginning, the adaptation mechanism may reinforce the wrong identity. Each successful unlock by the child can make future child-unlocks more likely, not less.

That does not make Face ID broken.

It makes Face ID a biometric system: a probabilistic match against a model of your face.

The "1 in 1,000,000" number is a population-level false-match claim. It is not a guarantee that your sibling, twin, or young child cannot unlock your phone. Apple has been clear about this: the probability is different for twins, siblings who look like you, and children under 13, because younger facial features may not be fully developed.

The deeper lesson is simple: biometric authentication is excellent for convenience and decent security against strangers. The more someone looks like the enrolled face, the less the population-level number means.

What Bkav's mask actually shows

Bkav's mask demo is the other side of the same coin.

They built a mask using a 3D-printed structure, silicone elements, and 2D images for parts of the face, then used it to unlock a Face ID-protected iPhone. That sounds dramatic, and it is a good proof of concept.

But it is not a normal attack.

The important caveat is the setup. Bkav had access to the target's facial measurements, time to build a custom mask, and the ability to iterate against the phone. There were also reasonable questions about how the phone had been enrolled and whether the model had effectively been weakened during setup.

That does not match the everyday threat model Face ID is designed for.

What Bkav demonstrated is not that Face ID is broken for normal users. It demonstrated that Face ID is not a defence against a motivated attacker who has detailed facial data, physical access to the device, time, and the ability to iterate.

That was already true of Touch ID, fingerprint readers in general, iris scans, and, frankly, your front door lock. Consumer biometrics are designed for the "someone grabbed my phone off the table" case, not the "a well-resourced adversary built a custom artifact of my face" case.

Should you turn Face ID off?

No. Probably not.

But you should be clear about what Face ID actually buys you.

Against a random stranger who picks up or steals your phone, Face ID is comfortably good. It has a published false-match rate, it allows only a limited number of failed attempts before requiring the passcode, and it does its job well.

Against a relative who looks like you, especially a sibling, twin, or child under 13, the story changes. Apple itself recommends using a passcode if you are concerned about that scenario. The adaptation mechanism helps when the real owner's appearance changes. It does not help if two different people are both being accepted as the same face.

Against a targeted attacker with resources, time, and access to your face, biometrics are the wrong primary tool. Use a strong passcode. Also learn the gesture that temporarily disables Face ID: on Face ID iPhones, press and hold the side button and either volume button until the power/emergency screen appears. The next unlock will require the passcode.

There is also a legal angle. In some jurisdictions, courts have treated compelled biometric unlocking differently from compelled passcodes, though the law is split and still evolving. If that risk matters to you, a passcode is still the safer primitive.

What changes compared with Touch ID is the failure mode.

Touch ID failures looked like this:

The kid pressed your finger to the sensor while you were asleep.

Face ID failures look more like this:

Someone who looks enough like you held up the phone and it unlocked.

The first is physical, obvious, and awkward. The second is silent and routine. That is a different kind of caution to learn.

So yes — keep Face ID on.

It is a better default than a four-digit passcode and much faster than typing a strong one every time. But know which threat you are defending against.

Face ID is good security against strangers.

It is weaker against close biological similarity.

It is not a serious defence against a targeted attacker with time, access, and motivation.

And "1 in 1,000,000" should not be asked to do more rhetorical work than it can actually carry.