Touch ID and Face ID area great. We like them, and we use them. But they’re convenience features, not security features, and you have fewer legal protections when using them in the US. When necessary, you can temporarily disable them.
This also applies to Android phones with fingerprint sensors, iris scans, or other biometric features.
Face ID Enables Easy Border Searches
With Face ID, merely looking at your phone (and making eye contact) from three or four feet away will unlock it. Someone can hold up your phone from across a table and, when you look at it, you’ve now unlocked your phone for that person.
As Ars Technica points out, this would provide a way for pushy border guards to unlock your phone and go through its contents. Border guards could already try to compel you to unlock your phone, but this makes it quick and trivial. The US border is considered a special place where many typical protections you’d have against search and seizure don’t apply.
While Ars highlights the risk at the US border, this technique could also be used at many, many other countries’ borders. Anyone traveling internationally should take the risk seriously. You don’t necessarily want to make it easy for border guards to dig through the wealth of personal information available via your phone.
US Courts Say PINs Have More Legal Protection
In the USA, the situation with Touch ID and Face ID is even weirder than you might expect. US courts have ruled that law enforcement can compel you to provide a fingerprint or look at your phone to unlock it. However, law enforcement cannot legally compel you to unlock your phone if you use a passcode, PIN, or password.
In other words, US courts have said the Fifth Amendment of the constitution protects you from being forced to unlock your phone when you use a PIN, but not when you use a fingerprint, your face, or other biometric data. The Fifth Amendment protects you from being forced to incriminate yourself, but a PIN is considered information you know while your biometrics are considered physical evidence you can be compelled to provide. More specifically, a fingerprint is not considered “testimonial communication,” whereas a PIN or password is.
While we’re referring to Touch ID and Face ID here, the same applies to fingerprint and face unlock on Android. You can’t be compelled to disclose information you know (like a passcode), but you can be compelled to take an action (like providing your fingerprint, face, or other biometrics.)
It’s Easier to Get Your Finger or Face Than Your PIN…
The problem isn’t just limited to legal issues with the government. It’s easy to picture situations where a fingerprint or face unlock is worse:
- A child or partner takes your phone and carefully presses it against your fingertip while you’re sleeping to unlock it. A child once used this exact method to buy $250 worth of Pokémon merchandise with a parent’s phone.
- Someone pickpockets your phone and holds it up in front of you in a crowd, you glance their way, and it’s unlocked.
…Or Is It?
Then again, even a strong passcode isn’t necessarily super secure if you use it all the time. One study found that the average American checks their phone 80 times a day. Now, if you’re unlocking your phone that many times per day with a PIN, you’re often doing it in public. Are you sure no one ever sees you type your PIN?
Someone who wants your PIN could probably “shoulder surf” you—literally, peek over your shoulder to watch you tapping it—and they’d know your PIN.
How to Protect Yourself
You don’t necessarily have to disable Touch ID or Face ID entirely. They’re convenience features, and that’s fine. They’re useful, and we use them. But be aware that you’re giving something up—in the US, that’s your Fifth Amendment protections against unlocking your phone.
However, there are ways to temporarily disable Touch ID, Face ID, or the Android equivalents. For example, you might want to temporarily disable Touch ID or Face ID when going through an international border or when dealing with law enforcement. There are a few ways to do this:
- Emergency SOS Mode (iPhone): On an iPhone 8 or later, press and hold the side button (also known as the power button) and one of the volume buttons. On an iPhone 7 or earlier, rapidly press the side (power) button five times. The text “Emergency SOS” will appear on the screen so you can make an emergency call, if necessary. Touch ID or Face ID will also be temporarily disabled, and you’ll have to re-enter your PIN to unlock your phone.
- Lockdown Mode (Android): If you’re using a phone with Android P or later, you can enable the “Show lockdown option” setting. This gives you a new “Lockdown” shortcut you can access from your phone’s lock screen. Activate it, and your phone’s fingerprint reader and any Smart Lock features will be disabled until you unlock your phone with your PIN.
- Power Off Your Phone: You can also just power off your phone. When you power it on, you’ll have to provide your PIN or password to unlock it. Whether you’re using an iPhone or Android phone, you can’t use Touch ID, Face ID, or the equivalent Android features before providing your PIN. For example, you might just want to power down your phone before going through an international border.
If you’re concerned about this, you can also just disable Touch ID, Face ID, or Android fingerprint unlock and always unlock your phone with a PIN or password.
However, let’s be honest: You’ll have to type your PIN every time you unlock your phone, so someone will probably be able to spot your PIN by glancing over your shoulder.
Know the Risks
We think most people should use Face ID or Touch ID. However, you should know the risks. If you’re about to be in a situation where Face ID or Touch ID seems a little risky, it’s a good time to disable it and rely on a PIN temporarily.