Despite Face ID’s Sophistication, the Passcode is Still ‘the Foundation’ of User Security: Apple

“It’s a surprising assertion, given Apple’s heavy emphasis on the accuracy and reliability of its biometric authentication systems.”

Apple may be a leader and even a pioneer in mobile biometrics, but the company still says that the passcode is the ultimate security mechanism for its iPhone users.Despite Face ID's Sophistication, the Passcode is Still 'the Foundation' of User Security: Apple

The surprising stance is hidden in Apple’s newly published, 78-page iOS Security Guide, which is meant to go into detail on the security mechanisms and processes of its mobile operating system. As 9to5Mac notes, in discussing both the fingerprint scanning Touch ID system and Face ID, the highly-secure infrared facial recognition system of its iPhone X smartphones, Apple suggests that the biometric authentication systems are aimed more at convenience than security, allowing users to easily access their devices “within thoughtful boundaries and time constraints.” Meanwhile, “a strong passcode forms the foundation of your iOS device’s cryptographic protection.”

It’s a surprising assertion, given Apple’s heavy emphasis on the accuracy and reliability of its biometric authentication systems. Even within this same iOS Security Guide, Apple asserts that “[t]he probability that a random person in the population could look at your iPhone X and unlock it using Face ID is approximately 1 in 1,000,000,” adding, “For additional protection, both Touch ID and Face ID allow only five unsuccessful match attempts before a passcode is required to obtain access to your device.”

If it’s such a secure system, why is Apple insisting that the passcode – considered by many security experts to be on the verge of archaic as a mechanism – is the real key to users’ security? Part of the reason could be liability; Apple alone is responsible for the accuracy and reliability of its biometric authentication systems, whereas users need to be accountable to some extent for creating strong passcodes and ensuring they aren’t shared with anyone else. So it’s possible Apple is trying to give itself some cover in the event that a user’s biometric authentication system is ever hacked. And it is simply a fact that both of Apple’s biometric authentication systems can be bypassed with a passcode, making it the latter the default – or foundational – security mechanism of its mobile devices.

In any case, Apple has buried this messaging in a highly technical paper that most consumers won’t ever read, so it is unlikely to stir up much commotion among iPhone X users.

Sources: 9to5Mac, Apple Insider