Facing Facts with FaceID
Let's take a quick moment to talk about FaceID, the latest authentication method that Apple has introduced with the iPhone X (and, if rumors are to be believed, will eventually be making its way into all of their devices).
As is typical with a new technology from Apple, everyone is trying hard to figure out what's wrong with it. There have been a wave of recent news stories and videos claiming to show how easy it is to spoof FaceID. The problem is that they don't understand how FaceID works—it's doing what it's supposed to, and it actually works very well.
FaceID works like the bouncer at a bar, except instead of a list of names of A-celebrities who get in, he's got a photographic memory for faces. When you first set up your iPhone X, it's like the manager giving the bartender your picture and saying "Let this guy in." So if you show up, the bartender compares your face to the one he remembers, and if it matches, hey, you're in!
Now what happens if you shave off your beard and come back to the bar? The bartender doesn't recognize you, because you don't have a beard anymore. "Sorry," he says, "I need another form of ID." So you show the bartender the digital equivalent of an ID, in this case your passcode. The bartender goes "OK, now I know it's you. I can see the resemblance between you now and the way you used to look, so I'll remember you this way now." Now he remembers your new (slightly different) face.
That's pretty much how FaceID works. The important things to know are that Apple doesn't actually keep a picture of your face; they scan your face using a projected mesh of dots (30,000 of them), calculate the depth in 3D, and then they store that information as a mathematical calculation in the "secure enclave" on your phone (the same enclave that the FBI freaked out about a while back because they couldn't get into it). Even if a hacker did get into the security enclave, all they'd get is a long string of useless mathematical data. Also note that the information is only stored on your phone, it's not sent to Apple. That means even if Apple's servers get hacked, no one has your face formula or the passcode for your phone.
So how are kids getting into the phone? Well, hopefully your children sort of look like you. Not enough to get recognized by the bounder, but enough that when your kid looks at the phone and types in the passcode, that the phone can update itself to now recognize that new face, which it thinks is you because they entered your passcode! That'll teach you not to give out your passcode.
So it is actually possible to spoof TouchID? Yes. If Madame Toussad's creates a wax figure of you that is lifelike enough, it would likely be enough to fool the sensors. That's pretty unlikely, though. What if someone, in, say, a totalitarian regime such as the TSA, takes your phone from you and tries to unlock it by aiming it at your face? Apple thought of this too, and made it so if you close your eyes it won't unlock. Pretty smart. Although if you've gotten to the point where the authorities are trying to access your phone without your permission, you've got bigger problems to worry about.
One last note: If you don't want to use FaceID at all, you don't have to. You can just tell the phone to use a good old fashioned passcode, and you're good to go.
FaceID will only get better with time, and you can be certain that Apple has a lot more functionality planned than just unlocking your device and creating hilariously funny karaoke.