Optic ID, Face ID, Touch ID, passcodes, and passwords
To use Optic ID, Face ID, or Touch ID, the user must set up their device so that a passcode or password is required to unlock it. When one of them detects a successful match, the user’s device unlocks without asking for the device passcode or password. This makes using a longer, more complex passcode or password far more practical because the user doesn’t need to enter it as frequently. Optic ID, Face ID, and Touch ID don’t replace the user’s passcode or password; instead, they provide easy access to the device within thoughtful boundaries and time constraints. This is important because a strong passcode or password forms the foundation for how a user’s iPhone, iPad, Mac, Apple Watch, or Apple Vision Pro cryptographically protects that user’s data.
When a device passcode or password is required
Users can use their passcode or password anytime instead of Optic ID, Face ID, or Touch ID, but there are situations where biometrics aren’t permitted. The following security-sensitive operations always require entry of a passcode or password:
Updating the software
Erasing the device
Viewing or changing passcode settings
Installing configuration profiles
Unlocking the Privacy & Security pane in System Settings (macOS 13 or later) on Mac
Unlocking the Security & Privacy pane in System Preferences (macOS 12 or earlier) on Mac
Unlocking the Users & Groups pane in System Settings (macOS 13 or later) on Mac (if FileVault is turned on)
Unlocking the Users & Groups pane in System Preferences (macOS 12 or earlier) on Mac (if FileVault is turned on)
A passcode or password is also required if the device is in any of the following states:
The device has just been turned on or restarted (doesn’t apply to Apple Vision Pro if the “Nearby iPhone Enables Optic ID” feature is turned on).
The user has logged out of their Mac account (or hasn’t yet logged in).
The user hasn’t unlocked their device for more than 48 hours.
The user hasn’t used their passcode or password to unlock their device for 156 hours (six and a half days), and the user hasn’t used biometric authentication to unlock their device in 4 hours.
The device has received a remote lock command.
The user exited power off/Emergency SOS by pressing and holding either volume button and the Sleep/Wake button simultaneously for 2 seconds and then pressing Cancel.
There were five unsuccessful biometric authentication match attempts (though for usability, the device might offer entering a passcode or password instead of using biometrics after a smaller number of failures).
When Face ID with a mask is enabled on an iPhone, it’s available for the next 6.5 hours after one of the following user actions:
Successful Face ID match attempt (with or without a mask)
Device passcode validation
Device unlock with Apple Watch
Any of these actions extends the period an additional 6.5 hours when performed.
When Optic ID, Face ID, or Touch ID is enabled on an iPhone, iPad, Mac laptop with Touch ID, or Apple Vision Pro, the device immediately locks when the Sleep/Wake button is pressed (if applicable), and the device locks every time it goes to sleep. Optic ID, Face ID, and Touch ID require a successful match—or optionally use of the passcode or password—at every wake.
The probability that a random person in the population could unlock a user’s iPhone, iPad, or Apple Vision Pro is less than 1 in 1,000,000 with Optic ID or Face ID—including when Face ID with a mask is turned on. For a user’s iPhone, iPad, Mac models with Touch ID, and those paired with a Magic Keyboard with Touch ID, it’s less than 1 in 50,000. This probability increases with multiple enrolled fingerprints (up to 1 in 10,000 with five fingerprints) or appearances for Face ID (up to 1 in 500,000 with two appearances). For additional protection, Optic ID, Face ID, and Touch ID allow only five unsuccessful match attempts before a passcode or password is required to obtain access to the user’s device or account. With Face ID, the probability of a false match is higher for:
Twins and siblings who look like the user
Children under the age of 13 (because their distinct facial features may not have fully developed)
The probability is further increased in these two cases when Face ID with a mask is used. If a user is concerned about a false match, Apple recommends using a passcode to authenticate.