If you give your sibling your iPhone X Passcode, Face ID isn't being fooled by them. You've already turned off security and are now letting Face ID be retrained — by them.
There have been some fun if silly videos making the rounds over the last couple of days that claim to show twins, triplets, or non-identical siblings "fooling" Face ID into unlocking iPhone X. And, this being iPhone X launch weekend, they're getting a predictably high amount of attention.
Unfortunately, in everyone's rush to be sensational, claim the next controversy, and rack up views, the facts are often being left behind. So, let's back up for a moment, take a breath, put our thinking caps back on, and review just how Face ID works again.
Prefer to listen rather than read? Hit play on the podcast version:
Face ID and twins: Evil and otherwise
When Apple first introduced Face ID back in September, a month before launch, senior vice president of worldwide marketing, Phil Schiller mentioned on stage that identical twins, triplets, etc. could generate false matches through Face ID and that, if you had an evil identical sibling, you might want to use a Passcode instead.
A couple of weeks ago, Apple followed up with a Face ID white paper that provided more details on the system:
The probability that a random person the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000 (versus 1 in 50,000 for Touch ID). For additional protection, Face ID allows only five unsuccessful match attempts before a passcode is required to obtain access to your iPhone. The probability of a false match is different for twins and siblings that look like you as well as among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate.
If you have the kind of relationship with your identical sibling where you're fine with them having your passcode or previously made sure they had a finger registered on your device for Touch ID, then Face ID and how it works won't be an issue for you. It'll be a convenience. If you don't have that kind of relationship or your identical sibling is legit evil, you'll have to stick to just a passcode or get an iPhone 8 with Touch ID instead.
Face ID and siblings: Fooling vs. training
One of the videos that got a lot of attention this weekend was made by two brothers, both of whom were eventually able to get Face ID to unlock the same iPhone X. It was revealed in a follow-up video that the first brother set up Face ID, then the second brother then tried to use it and was properly locked out. Then the second brother entered the iPhone X passcode to unlock.
If someone else, including your sibling, has your iPhone X passcode, Face ID doesn't even exist. You've given them much higher access than even Face ID allows — including the ability to reset Face ID and other data on your iPhone X — and, literally, nothing else matters at that point. Keys to the castle. Time to go home.
But for Face ID in particular, there's some interesting behavior that's worth being reminded about: The neural networks that power Face ID are designed to learn and continue to match your face as you change your appearance over time. If you shave your mustache and/or beard, if you change your glasses and/or hairstyle, if you add or remove any makeup and/or facial decorations, as you put on or take off hats and/or scarves.
Here's how Apple described it in the white paper released a few weeks ago:
To improve unlock performance and keep pace with the natural changes of your face and look, Face ID augments its stored mathematical representation over time. Upon successful unlock, Face ID may use the newly calculated mathematical representation—if its quality is sufficient—for a finite number of additional unlocks before that data is discarded. Conversely, if Face ID fails to recognize you, but the match quality is higher than a certain threshold and you immediately follow the failure by entering your passcode, Face ID takes another capture and augments its enrolled Face ID data with the newly calculated mathematical representation. This new Face ID data is discarded after a finite number of unlocks and if you stop matching against it. These augmentation processes allow Face ID to keep up with dramatic changes in your facial hair or makeup use, while minimizing false acceptance.
And in the Apple Support article:
...This data will be refined and updated as you use Face ID to improve your experience, including when you successfully authenticate. Face ID will also update this data when it detects a close match but a passcode is subsequently entered to unlock the device.
In the video, the second brother wasn't fooling or tricking Face ID in any way. By entering the Passcode was training it, as designed, to learn his face. By entering the Passcode multiple times, the second brother was literally telling Face ID to add his facial data to the first brother's.
Why this matters
No one who could benefit from technologies like Face ID, which make devices more approachable, more accessible, and even just a little more human, deserve to be made to feel fearful, uncertain, hesitant or doubtful about them. Especially not just so a few people and outlets who should know better — white paper or no white paper, some of this is simple logic — can get some attention.
Face ID absolutely should be tested. Every new technology has its limits and it's important we learn and understand them. But we also have to be responsible. Biometrics have always been more about identity than security. Anyone serious about security uses a long, strong, unique password and shares it with absolutely no one else. Most of us don't want or need that. We want and need something that balances good security with far greater convenience.
Part of that balance involves knowing the limitations and how to minimize them — including not giving siblings your Passcode if you don't want them to have access to your iPhone X — Face ID or no Face ID.