Here's the thing. Fingerprints are uniformly random [1]. Faces aren't. Your average Joe can't use a global online database of fingerprints to find ones that might be "close" to the owners to try to fool it, and that's only after you have the owners fingerprint, not a straightforward task. For faces that database is literally called FACEbook, and getting a picture of the owners face is trivial. And faces aren't random at all: sometimes even distant relatives look alike.
I'm not saying that the 1/1M faceid false positive rate is wrong for the general population, I'm saying that the attack vectors to reduce that number by large factors are much easier and readily available than for touchid.
[1]: Citation needed, I know.
Edit: Apparently I didn't make it clear that I don't think attack vector is to show it a 2D photo (if you had a photo of the owner why would facebook even come into this?), the attack vector is to find a lookalike using 2D photos and show the phone their face in person. Facebook's role is to find the lookalike. This should be trivial to socially engineer after you find the person.
If their number is correct, there are only about 7,000 lookalikes on the planet for any given user. Tracking one down and convincing them to participate in your nefarious scheme seems non-trivial. And remember that you must accomplish this within a fairly short time period (48 hours?) and two failures will lock you out for good.
If you’re the target of an attack by a sophisticated organization like an intelligence agency or a large industrial espionage operation, they might be able to pull this off. Common criminals will just break the phone up for parts. And either way, it’s better than fingerprints.
> convincing them to participate in your nefarious scheme seems non-trivial
Actually this would be the easiest part. E.g. A courier knocks a random persons door and says please sign here and shoves a clipboard in their face (that happens to have a faceid-sized hole in the metal frame) then hands them a random package. Done. No convincing needed, worst case they're confused for a day about why they signed for whatever you put in the box and who sent it and then they forget about it altogether.
You're right about the 7000, except it's likely that a large fraction of that 7000 lives geographically close to you as most family does. I agree that this will take more sophistication than what a common criminal could pull off, but this opens up a wide range between that and state intelligence agency that could try compared to TouchId.
I would like to see a security review with more details about how common false positives are given that you only try lookalikes.
That 1:1,000,000 is for random people. I am really interested in seeing how well it works for members of the same family (not twins). The statement I read seemed to indicate it was less reliable there.
I'm not saying that the 1/1M faceid false positive rate is wrong for the general population, I'm saying that the attack vectors to reduce that number by large factors are much easier and readily available than for touchid.
[1]: Citation needed, I know.
Edit: Apparently I didn't make it clear that I don't think attack vector is to show it a 2D photo (if you had a photo of the owner why would facebook even come into this?), the attack vector is to find a lookalike using 2D photos and show the phone their face in person. Facebook's role is to find the lookalike. This should be trivial to socially engineer after you find the person.