Hacking Face ID, the facial recognition system built into Apple's iPhone X, isn't easy. Unless, it turns out, you're a very specific hacker—say, a rare 10-year-old kid, trying to break into the phone of whichever of your parents looks the most like you.

Attaullah Malik and Sana Sherwani made that discovery earlier this month, when their fifth-grade son, Ammar Malik, walked into the bedroom of their Staten Island home to admire their new pair of iPhone Xs just after they’d set up Face ID. “There’s no way you’re getting access to this phone,” the older Malik remembers his wife telling her son, in a half-joking show of strictness.

Malik offered to let Ammar look at his iPhone instead, but the boy picked up his mother's, not knowing which was which. And a split second after he looked at it, the phone unlocked.

The parents were shocked. Ten-year-old Ammar thought it was hilarious. "It was funny at first," Malik told WIRED in a phone call a few days later. "But it wasn't really funny afterward. My wife and I text all the time and there might be something we don’t want him to see. Now my wife has to delete her texts when there's something she doesn’t want Ammar to look at."

With Face ID, Apple has launched a grand experiment in a form of biometric security previously untested at this scale. For the most part, that gamble has paid off; WIRED's failed attempts to fool the system hint at how it defeats the most straightforward attempts at spoofing, and even the Vietnamese hackers who recently claimed to have defeated Face ID used a largely impractical technique. Their method required obtaining a detailed digital scan of their victim's face, and building a mask out of 3-D-printed plastic, silicone, makeup, and paper.

But aside from hackers actively trying to spoof Apple's biometrics, facial recognition presents other, more accidental privacy issues. For one, family members with similar faces can unlock each other's devices. Apple has, in fact, conceded that twins and even non-identical family members may sometimes be able to fool Face ID. But the case of spitting-image children unlocking their parents' phones presents what might be Face ID's most practical concern yet.

"We don’t want to disable Face ID. It’s very convenient. But this is a lot of hassle in terms of privacy," says Malik, who works as the director of technology operations at tech firm Taskstream. He points out that a parent's phone can offer access to apps that encompass everything from banking to food delivery.