can you trust Face ID?Last month, Apple drew excitement with its iPhone X announcement. The new phone, slated for a Nov. 3 release date, has captured the imagination and attention of Apple fans with some of its new features. Integral to the most novel features of the iPhone is a camera that is capable of very detailed facial recognition. In fact, the facial recognition of the camera, called Face ID, can even serve as a means of locking and unlocking the device by simply looking at it. But is it secure? Though it might be too early to tell, we go in-depth about details surrounding Face ID and biometrics in general to help you make an informed decision about the feature.

What is Face ID?

Face ID is a biometric security system that, so far, is exclusive to the iPhone X. But while the feature is new, it should feel somewhat familiar to longtime Apple users as its function is nearly identical to that of the Touch ID system it’s replacing. With a mere glance at your phone, Apple says you can unlock it, make payments through Apple Pay or make purchases in the Apple App store and iTunes. Third-party apps might have the ability to work with Face ID, too, but they will not have access to the data which Face ID uses to identify you.

How is Face ID different than existing biometric systems?

Facial recognition is actually a fairly old technology, and most consumers might recognize that other phones, like the Samsung Galaxy S8, have similar features. However, Apple has painstakingly ensured that Face ID doesn’t replicate the vulnerabilities of older facial recognition technologies. First, like with Touch ID, there are limitations to when you can use Face ID. You can’t use it, for example, when your device has first been turned on or after several unsuccessful face match attempts. There’s also a mode you can manually activate which disables Face ID. As for the technology powering Face ID, it appears to be more sophisticated than other facial recognition systems. It uses sensors that allow for depth perception, which means that static 2D images, like pictures of a face, won’t fool the system. Face ID also uses infrared lighting which means that even 3D molds or models of your face will also not fool the system. Additionally, your eyes need to be open in order for Face ID to activate, so it can’t be used against you in your sleep or, in theory, against your will — though this may also present issues for those with physical disabilities or who wear head coverings that might make it difficult to use Face ID.

What are the privacy implications of Face ID?

Face ID seems relatively, if not significantly, more secure than some of the existing facial biometric technology. Luckily, some of that security goes toward addressing many consumer privacy concerns. Apple promises that, like with Touch ID, data from Face ID will be stored at the device level in a secure enclave. This means that no personal data will be sent to Apple’s servers, and if someone breaks into your device, the Face ID data will be stored on a separate system within your phone, making it harder to access. It’s also worth noting that Face ID doesn’t store images of your face, but a mathematical representation of your face, meaning you don’t have to worry about your security photos being stored on the device.

Despite all of this, for some, concerns remain. For example, some believe that there’s the possibility Apple could retroactively change its Terms of Service to modify its polices around user data, for example. Monitoring facial expressions could be easily monetized as the data would provide a wealth of Pattern of Life information that can be used for marketing research, should Apple decide to change its business model. While there’s no reason to suspect Apple will do this, there’s also no reason to suspect it couldn’t do this. In the same vein, as we saw with the Apple vs. FBI showdown, or with the CIA and Snowden leaks, Pattern of Life metadata is also valuable to governments and hackers. It’s possible through cooperation with tech companies, or through hijacking and coercion, that governments or state-sponsored actors could access these tools for their own purposes.

The good news is that, based on what we’ve seen so far, none of these scenarios seems likely, but the fact that they’re at all possible means that there might be good reason to remain wary of the technology.

Is there anything that can defeat Face ID?

It’s important to note that, even by Apple’s own admission, Face ID isn’t meant to be the silver bullet to today’s cybersecurity problems, as it has limitations. For example, any identical twins (or triplets) won’t want to use Face ID. Apple also mentions that even if you don’t have identical siblings there’s a one in a million chance that a random person could be a match for your Face ID’s representation of your face. Additionally, children under 13 can’t use Face ID, given that their faces are changing shape. While these are the only caveats that Apple has noted about its system, security researchers are eager to learn how Face ID works and identify other potential limitations.

Should you use Face ID?

Face ID seems to be pretty secure – it definitely looks to be leagues above most of the facial recognition implemented in earlier smartphones – but there’s no reason to believe that it or any other security method by itself is airtight. In that regard, the added benefits of Face ID don’t seem readily apparent. Although it’s extremely convenient, and does not seem to sacrifice security for ease of use, the fact is that Face ID relies on a single factor that can’t be changed if it’s compromised. Such a security system is inflexible and the equivalent of putting all of your eggs in one basket, however strong and sturdy that basket might be.

In addition to the security concerns, there are also the added privacy concerns that more advanced biometric systems like Face ID might introduce down the line. Though we have no reason to suspect that technology like this will be abused by advertisers or governments, no one knows what the future could hold. Some worry that while Face ID itself won’t be responsible for privacy violations, it could initiate the process which normalizes them.

It’s important to note that opting into these systems might not personally put you at risk for any of the concerns listed above, but they are at the very least things that you should be aware of before fully committing to biometric technologies. For more information on tech related news and developments read our technology blog.