Optic ID, Face ID, Touch ID, passcodes, and passwords
To use Optic ID, Face ID, or Touch ID, the user must set up their device so that a passcode or password is required to unlock it. When one of them detects a successful match, the userโs device unlocks without asking for the device passcode or password. This makes using a longer, more complex passcode or password far more practical because the user doesnโt need to enter it as frequently. Optic ID, Face ID, and Touch ID donโt replace the userโs passcode or password; instead, they provide easy access to the device within thoughtful boundaries and time constraints. This is important because a strong passcode or password forms the foundation for how a userโs iPhone, iPad, Mac, Apple Watch, or Apple Vision Pro cryptographically protects that userโs data.
When a device passcode or password is required
Users can use their passcode or password anytime instead of Optic ID, Face ID, or Touch ID, but there are situations where biometrics arenโt permitted. The following security-sensitive operations always require entry of a passcode or password:
Updating the software
Erasing the device
Viewing or changing passcode settings
Installing configuration profiles
Unlocking the Privacy & Security pane in System Settings (macOS 13 or later) on Mac
Unlocking the Security & Privacy pane in System Preferences (macOS 12 or earlier) on Mac
Unlocking the Users & Groups pane in System Settings (macOS 13 or later) on Mac (if FileVault is turned on)
Unlocking the Users & Groups pane in System Preferences (macOS 12 or earlier) on Mac (if FileVault is turned on)
A passcode or password is also required if the device is in any of the following states:
The device has just been turned on or restarted (doesnโt apply to Apple Vision Pro if the โNearby iPhone Enables Optic IDโ feature is turned on).
The user has logged out of their Mac account (or hasnโt yet logged in).
The user hasnโt unlocked their device for more than 48 hours.
The user hasnโt used their passcode or password to unlock their device for 156 hours (six and a half days), and the user hasnโt used biometric authentication to unlock their device in 4 hours.
The device has received a remote lock command.
The user exited power off/Emergency SOS by pressing and holding either volume button and the Sleep/Wake button simultaneously for 2 seconds and then pressing Cancel.
There were five unsuccessful biometric authentication match attempts (though for usability, the device might offer entering a passcode or password instead of using biometrics after a smaller number of failures).
When Face ID with a mask is enabled on an iPhone, itโs available for the next 6.5 hours after one of the following user actions:
Successful Face ID match attempt (with or without a mask)
Device passcode validation
Device unlock with Apple Watch
Any of these actions extends the period an additional 6.5 hours when performed.
When Optic ID, Face ID, or Touch ID is enabled on an iPhone, iPad, Mac laptop with Touch ID, or Apple Vision Pro, the device immediately locks when the Sleep/Wake button is pressed (if applicable), and the device locks every time it goes to sleep. Optic ID, Face ID, and Touch ID require a successful matchโor optionally use of the passcode or passwordโat every wake.
The probability that a random person in the population could unlock a userโs iPhone, iPad, or Apple Vision Pro is less than 1 in 1,000,000 with Optic ID or Face IDโincluding when Face ID with a mask is turned on. For a userโs iPhone, iPad, Mac models with Touch ID, and those paired with a Magic Keyboard with Touch ID, itโs less than 1 in 50,000. This probability increases with multiple enrolled fingerprints (up to 1 in 10,000 with five fingerprints) or appearances for Face ID (up to 1 in 500,000 with two appearances). For additional protection, Optic ID, Face ID, and Touch ID allow only five unsuccessful match attempts before a passcode or password is required to obtain access to the userโs device or account. With Face ID, the probability of a false match is higher for:
Twins and siblings who look like the user
Children under the age of 13 (because their distinct facial features may not have fully developed)
The probability is further increased in these two cases when Face ID with a mask is used. If a user is concerned about a false match, Apple recommends using a passcode to authenticate.