What’s up with Face ID timeouts?

The Loop posted a great summary of Apple’s Face ID security whitepaper.

Two points about how the timeout works really baffled me. Face ID is disabled when:

  • The device hasn’t been unlocked for more than 48 hours.
  • The passcode hasn’t been used to unlock the device in the last 156 hours (six and a half days) and Face ID has not unlocked the device in the last 4 hours.

If the phone hasn’t been unlocked for 48hrs, it’s a good assumption that the phone has been lost or stolen. But why bother disabling Face ID? Is Apple nervous about it’s real-world effectiveness? Nervous that a thief may be able to unlock the phone with their face?

The second timeout seems more arbitrary. Why 156 hours? If I generally only use my phone once every 4hrs 5mins, then after 6.5days I will have to re-authenticate with my passcode? Why? It seems completely arbitrary.

Any smarter security minds out there have any thoughts?

Leave a Reply

Your email address will not be published. Required fields are marked *