From unlocking the phone to cute animated facial tracking “animojis” to Apple Pay and in-app logins, it is now the defining feature that made the iPhone X the iPhone X, bezel-less notched screen and all. Click here to read more about how Apple’s Face ID works. But as Apple introduces new security measures to make it harder to crack an iPhone, law enforcement, too, is scrambling for legal ways to bypass those protections. Just a few weeks ago, reports about the first known case where law enforcement used a search warrant to force an iPhone X owner to unlock their gadget with Face ID. Note: In case you didn’t know, biometric security methods like fingerprint and face scanners are not protected by the Fifth Amendment (yet) since, unlike passcodes, they are not considered self-incriminatory. Similar to your DNA, it is argued that biometrics are physical characteristics beyond the scope of Fifth Amendment protections. With this legal loophole likely to gain popularity, guidelines and precautions are now being issued to law enforcement to increase their chances of success when using biometric unlocks.

Don’t look at that iPhone X!

Forensics company Elcomsoft has warned law enforcement agents not to look at Face ID-enabled iPhones or risk getting locked out, requiring a passcode to be entered instead. Apple’s Face ID apparently only takes five failed facial scan attempts before it is disabled, requiring the user passcode to unlock the iPhone after that. (This is similar to the blooper that happened to Apple’s Craig Federighi during the iPhone X’s launch event. In his demo, Federighi failed to unlock an iPhone X with his face, forcing him to swap it with a backup phone.) Obtained by Motherboard, Elcomsoft’s presentation slide has these interesting pointers about Face ID:

Expires after 48 hoursYou only have 5 attemptsiPhone X: don’t look at the screen, or else…Use Sleep/Wake button instead

“This is quite simple. Passcode is required after five unsuccessful attempts to match a face,” Vladimir Katalov, Elcomsoft’s CEO, told Motherboard. “So by looking into suspect’s phone, [the] investigator immediately lose one of [the] attempts.”

When is your passcode required?

Katalov also said that this is based on Apple’s own Face ID security guide. According to the guide, these are the instances when a passcode is required to enable Face ID:

The device has just been turned on or restarted.The device hasn’t been unlocked for more than 48 hours.The passcode hasn’t been used to unlock the device in the last 156 hours (six and a half days) and Face ID has not unlocked the device in the last 4 hours.The device has received a remote lock command.After five unsuccessful attempts to match a face.After initiating power off/Emergency SOS by pressing and holding volume button and the side button simultaneously for 2 seconds.

Previously, law enforcement agents were advised to use the power button instead of the Home button to “wake up” a Touch ID-enabled iPhone. But with Face ID, it’s easier to accidentally lose another unlock attempt by merely raising and looking at an iPhone’s screen, so extreme caution is advised.

It’s still a gray area

Forced unlocks with a fingerprint or facial scans may sound like privacy violations, but the practice is still within legality, at least in the U.S. It’s still up for debate, but U.S. courts have previously ordered suspects to unlock their smartphones with their face or fingerprints, setting a precedent for everyone else. Unlike passcodes, it is argued that biometrics are not considered “incriminatory testimonial evidence” so they are treated like they’re not covered by Fifth Amendment protections. In simple terms, face data and fingerprints are currently considered as similar to physical evidence like DNA or handwriting. If for anything else, this highlights once again how rapid technological advances can sometimes outpace the written law, forcing us to reexamine our current legal rights and policies.