Skip to main content

No, siblings aren't 'fooling' Face ID — they're training it

Face ID setup
Face ID setup (Image credit: iMore)

There have been some fun if silly videos making the rounds over the last couple of days that claim to show twins, triplets, or non-identical siblings "fooling" Face ID into unlocking iPhone X. And, this being iPhone X launch weekend, they're getting a predictably high amount of attention.

Unfortunately, in everyone's rush to be sensational, claim the next controversy, and rack up views, the facts are often being left behind. So, let's back up for a moment, take a breath, put our thinking caps back on, and review just how Face ID works again.

Face ID and twins: Evil and otherwise

When Apple first introduced Face ID back in September, a month before launch, senior vice president of worldwide marketing, Phil Schiller mentioned on stage that identical twins, triplets, etc. could generate false matches through Face ID and that, if you had an evil identical sibling, you might want to use a Passcode instead.

A couple of weeks ago, Apple followed up with a Face ID white paper that provided more details on the system:

The probability that a random person the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID). For additional protection, Face ID allows only five unsuccessful match attempts before a passcode is required to obtain access to your iPhone. The probability of a false match is different for twins and siblings that look like you as well as among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate.

If you have the kind of relationship with your identical sibling where you're fine with them having your passcode or previously made sure they had a finger registered on your device for Touch ID, then Face ID and how it works won't be an issue for you. It'll be a convenience. If you don't have that kind of relationship or your identical sibling is legit evil, you'll have to stick to just a passcode or get an iPhone 8 with Touch ID instead.

Face ID and siblings: Fooling vs. training

One of the videos that got a lot of attention this weekend was made by two brothers, both of whom were eventually able to get Face ID to unlock the same iPhone X. It was revealed in a follow-up video that the first brother set up Face ID, then the second brother then tried to use it and was properly locked out. Then the second brother entered the iPhone X passcode to unlock.

See more

If someone else, including your sibling, has your iPhone X passcode, Face ID doesn't even exist. You've given them much higher access than even Face ID allows — including the ability to reset Face ID and other data on your iPhone X — and, literally, nothing else matters at that point. Keys to the castle. Time to go home.

But for Face ID in particular, there's some interesting behavior that's worth being reminded about: The neural networks that power Face ID are designed to learn and continue to match your face as you change your appearance over time. If you shave your mustache and/or beard, if you change your glasses and/or hairstyle, if you add or remove any makeup and/or facial decorations, as you put on or take off hats and/or scarves.

Here's how Apple described it in the white paper (opens in new tab) released a few weeks ago:

To improve unlock performance and keep pace with the natural changes of your face and look, Face ID augments its stored mathematical representation over time. Upon successful unlock, Face ID may use the newly calculated mathematical representation—if its quality is sufficient—for a finite number of additional unlocks before that data is discarded. Conversely, if Face ID fails to recognize you, but the match quality is higher than a certain threshold and you immediately follow the failure by entering your passcode, Face ID takes another capture and augments its enrolled Face ID data with the newly calculated mathematical representation. This new Face ID data is discarded after a finite number of unlocks and if you stop matching against it. These augmentation processes allow Face ID to keep up with dramatic changes in your facial hair or makeup use, while minimizing false acceptance.

And in the Apple Support (opens in new tab) article:

...This data will be refined and updated as you use Face ID to improve your experience, including when you successfully authenticate. Face ID will also update this data when it detects a close match but a passcode is subsequently entered to unlock the device.

In the video, the second brother wasn't fooling or tricking Face ID in any way. By entering the Passcode was training it, as designed, to learn his face. By entering the Passcode multiple times, the second brother was literally telling Face ID to add his facial data to the first brother's.

Why this matters

No one who could benefit from technologies like Face ID, which make devices more approachable, more accessible, and even just a little more human, deserve to be made to feel fearful, uncertain, hesitant or doubtful about them. Especially not just so a few people and outlets who should know better — white paper or no white paper, some of this is simple logic — can get some attention.

Face ID absolutely should be tested. Every new technology has its limits and it's important we learn and understand them. But we also have to be responsible. Biometrics have always been more about identity than security. Anyone serious about security uses a long, strong, unique password and shares it with absolutely no one else. Most of us don't want or need that. We want and need something that balances good security with far greater convenience.

Part of that balance involves knowing the limitations and how to minimize them — including not giving siblings your Passcode if you don't want them to have access to your iPhone X — Face ID or no Face ID.

More on the limits of Face ID: What you need to know!

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

55 Comments
  • I read the same article on 9to5Mac and something was definitely strange. If you're a tech "writer" and you're going to post about a subject, you should at the very least try to learn the details of that subject, so you can understand what's going on to better inform your readers. These articles are nothing more than sensationalism to garner page hits and in turn, advertising dollars.
  • This article seems fairly detailed, what details is he missing?
  • Thanks Rene, I hadn't seen a reasonable explanation of those videos until now. Thanks for that.
  • Thanks René. This is the kind of BS that explains why Apple sends review units to Youtube stars instead of so called tech journalists. The second video posted in the article shows clearly how Face ID was trained using the two different faces and the author is still not retracting his bogus claim.
  • What about the twins and triplets that CAN fool face id?
  • Yes, Apple announced that limitation on stage. If the face is identical, Face ID will process it identically.
  • “By entering the Passcode multiple times, the second brother was literally telling Face ID to add his facial data to the first brother's.” Does the phone face scan whoever enters a successful passcode for training? I ask because my wife has my passcode which is fine. But wouldn’t that alter the phone’s learning of my own facial features?
  • If the face is distinct enough and the passcode is used occasionally, it shouldn't cause a problem.
  • Personally I'd prefer couldn't to shouldn't.
  • Face ID is too early to say "couldn't" yet. I'm sure it will turn into "couldn't", but I don't blame Rene for covering himself at this point
  • Any white paper on this? I couldn't find anything stated by Apple that it was the case only if faces that appear similoar enough would be trained with Face ID and that if passcodes are only used occasionally it would happen. I feel like this could be an issue. Especially with children who use their parents phones or even friends. It adds a whole other layer of problems that touch ID just didn't have.
  • Touch ID has its own problems though that aren't fixable. This sounds like something that would be fixable, and it probably isn't as bad as it's made out to be. Time will tell though
  • I'm all for stamping down unfounded FUD, but in this instance it seems like a genuine security issue, especially for those of us with a rather generic face.
  • No one has a generic face. You'd have to have similar facial geometry and give them your passcode and allow them to enter it repeatedly. And once they have your passcode, nothing else, including Face ID or Touch ID, matters.
  • Not all of us can be as strikingly handsome as you, Rene.
  • He has a point though, no one has a generic face. There are very minor differences in everyone's face, even if it's something as simple as nose shape. You would literally have to find a doppelgänger to have Face ID fooled
  • Too bad Rene, FaceGate is already a thing. The haters are circling their wagons around it, pounding away at it. No amount of reasoned response will stop it.
  • Both camps ( android- ios ) will always jump on the bandwagon to run with it if there is a problem with a phone. Whether it's the X, Pixel, Note 8, iPhone whatever, fans of the opposite operating system will always chime in with glee and happiness when a rival phone is having issues. It's sad but people don't realize there can never be 1 best phone because no phone will ever be the best at everything.
  • “...will always jump on the bandwagon to run with it if there is a problem...” Fine, when there is a problem, But faking evidence to create the appearance of a problem. That is rather different. Like the famous bending iPhone video, with an almost invisible cut, just as the bending force was released, so that the phone could be bent off camera.
  • Indeed, there's a large difference between an actual problem and one that is just an hyperbolic claim
  • Has Apple issued an official response ?
  • Everyone seems to have the memory of a goldfish, but Apple mentioned about how it might not work for identical twins at the very event at which they announced the iPhone X itself. They literally closed this issue down as soon as people were thinking of it, but yeah people still like to bring this up for some reason
  • What about the video where the siblings had at least 8 years between them. One was an adult and the other was a child. Surely we recognize the security implications if FaceID detected sufficient matches between them to allow authentication and training to continue in that situation. https://youtu.be/BGofMEZWWR8
  • Safe to say that touchid was far more secure. Should have given people options. Next year faceid will incorporate iris scan which will fix this.
  • More like next year, nobody will be talking about this and this year’s #gate will have long been forgotten.
  • Same **** different year 🙂 can't wait for whatever #gate there is next year /s
  • Fix what?
  • The limitations of face id. Try and keep up.
  • There's nothing to fix. Face ID is working as it was intended. Every authentication method has flaws, and Face ID has far fewer flaws than Touch ID
  • Touch ID isn't more secure. Guess you didn't watch the Apple event, which makes your uninformed opinion… well, uninformed
  • Having watched the videos and explanations again, I can see what Apple were trying to achieve with their fancy machine learning and to reduce the false negatives encountered as our faces naturally change. However from a security POV it seems that the more simplistic way that systems such as Windows Hello work is preferable. With Hello you can ask for it to scan your face again should you encounter a false negative, rather than it automatically doing so when you enter the pin. In my work environment we occasionally borrow each others Surface Laptops and it would mean we would have to lose the convenience that Hello provides if it worked like Face ID.
  • Hello is much less secure though. According to Microsoft’s page on Windows Hello, there is a 5% error for false positives, and a 5% error on false negatives. That’s very poor security.
  • I wasn't saying that Hello is more secure, just that I think the request that one's face is relearned is perhaps a more secure system than scanning anyone who enters the login pin.
  • Is it more secure or is it not? You pretty much said "I know it's not as secure, but I think it's more secure" which makes no sense
  • I didn't say either way. But for as far as I can tell apple's technology is more advanced so in theory it's more secure. However the fact that Hello doesn't continuously learn your face probably less of a security risk than Face ID. Probably.
  • Brilliant!!!!! That shows that you understand it better than anyone out there!!!!
  • This was my first guess when I first saw that stupid video.
  • I just want to know why it won’t work with my Rayban Avaitors even with Require Attention turned off
  • It will work with sunglasses that don’t have strong infra red filtering. If it does, then it won’t work.
  • Yeah this is true. You know it makes me think, if we had thought 15 years ago about having a device which does everything in our hands, that scanned our faces to unlock it, we honestly wouldn't have cared about limitations about this. Sure shows what incredibly high expectations we have of technology today. But yeah, works with some sunglasses, not all. Depending on the strength of the infrared filtering
  • I'd like to see tests on a large set of systems that were used a few hundred times, after FaceID had a chance to store solid data on the face. Some independent statistical analysis on that would be nice too. Pro-FaceID or anti-FaceID, no one has numbers on this.
  • Pro-Touch ID or anti-Touch ID, Touch ID still became the main authentication method regardless of whatever statistics or FUD. In a year's time Face ID will just be the norm and no one will care
  • We will have to wait and see how many of these "Training" incidents occur before its an actual issue. The people defending FaceID are the one ones that are quick to call out the issues of other non-Apple products.
  • One of the trends with Apple products, is that every time a new Apple product comes out with a new feature, it's unnecessarily criticised. Same happened with Touch ID, Touch Bar, 3D Touch etc. What happens is people point out all the "flaws" and where it could possibly go wrong, people argue, then in a year's time no one gives a **** about it anymore because all the FUD was false
  • It’s new technology folks. The best thing to do if you are nervous is to wait a year or get an iPhone 8 or get and iPhone 8/plus for a ine year commitment through carrier or Apple Upgrade. Personally i looked at the new phones and am taking a pass.
  • "Unfortunately, in everyone's rush to be sensational, claim the next controversy, and rack up views, the facts are often being left behind." - RENE RITCHIE iMore for the win!
    Now you can just take over the major news outlets… that'd be great ;-)
  • Rene's just as guilty when speaking of other OEMs. Don't kid yourself.
  • false.
  • And this is why I still prefer TouchID
  • Yep.
  • Don't really know why you hate Face ID so much, but I guess you're just one of the main people helping spread FUD when you haven't even used an iPhone X
  • You prefer Touch ID which has many more flaws, yet you found one small flaw with Face ID and you dismiss it instantly? You must be fun at parties…
  • I have an 8 plus coming this week. 256gb, space gray. Don't care about any of this.
  • Well, yes. This is true.
  • The issue here is for instances where we allow our family members to use our phone. The X's first inclination is to scan the face of the user. If it will do that before giving the option to enter a passcode, its going to fail. Then when the user enters the passcode it's going to register that persons face or add that persons characteristics to the algorithm it uses. That seems problematic.