Surely my face is more secure than a password? I’d set far more complex passwords if I knew I only needed it in the rarest of events!
Thoughts?
1 Like
Because sometimes Face ID doesn’t work and you need a fallback method to get to your data.
Your iPhone works in exactly the same way.
I know after a reboot it’s required. The thing about a face is that it can be involuntarily collected, whereas a password is more intentional.
There’s a list of situations where the FaceID is required:
- The device has just been turned on or restarted.
- The device hasn’t been unlocked for more than 48 hours.
- The passcode hasn’t been used to unlock the device in the last six and a half days and Face ID hasn’t unlocked the device in the last 4 hours.
- The device has received a remote lock command.
- After five unsuccessful attempts to match a face.
- After initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds.
- If the device’s battery is below 10%.
A lot of those make sense, even if the timeouts are longer than what I would expect. It’s mostly about you being able to intentionally lock your device against intrusion, and providing a set of very relaxed defaults.
Consider the Emergency SOS one. You use your iPhone to, for example, call EMS because something is wrong. If it didn’t shut down FaceID, whoever showed up would be able to unlock your phone and comb through whatever data data you had on there while you were unconscious. Edge case? Definitely. Worth considering? Yes.
1 Like
Additional to @webwalrus’ explanation: Apple Platform Security documentation provides the background –
The data protection keys used by biometrics are stored in the Secure Enclave after the device has been unlocked at boot time. If the device restarts, the keys are discarded by Secure Enclave, thus the passcode is needed in order to re-establish the keys in Secure Enclave so that biometrics can be used again.
More on unlocking devices and the role of the Secure Enclave here
3 Likes
Ah, that explains the “battery below 10%” thing - it must discard the key well before the power off, to make sure it happens.
It’s interesting to know that not only doesn’t it allow the unlock, but it actually can’t. Fascinating. 
1 Like
There’s not much to add to this except that I think it makes clear the idea that passwords (at least for encrypted devices) serve two very different functions that are often seen as the same thing.
1 Like