-
Leaked code strings buried inside X’s app reveal the platform is actively developing a biometric identity verification system.
-
The strings suggest face scanning may become a mandatory gate before users can access the platform rather than an optional feature.
-
X appears to be integrating Amazon Rekognition Face Liveness, a cloud-based AWS service, to power the entire verification layer.
A developer just exposed what Elon Musk’s X may be quietly building behind the scenes. Researcher and developer @aaronp613 surfaced leaked source code strings from inside X’s app, and the findings are now circulating widely across tech communities.
The strings reveal that X is actively developing a system that could require users to verify their identity through facial recognition before they can continue using the platform.
This is not a small tweak. If these strings make it to public release, accessing X could look very different and very personal.
What the leaked code actually shows
The leaked strings paint a clear picture of what X is building. Among the key entries @aaronp613 uncovered: BIOMETRIC_LOCK_REASON paired with “Verify your identity to continue using X,” BIOMETRIC_LOCK_REQUIRED_LABEL tied to “Biometric authentication required,” and BIOMETRIC_LOCK_VERIFY_PROMPT linked to “Verify your identity to continue.” A retry button string also calls specifically on “Verify with Face ID.”
Together, these strings suggest a fully developed authentication flow; one that reaches far beyond the optional two-factor login features X currently offers. The language reads less like a security upgrade and more like a checkpoint.
Powering the system, according to the disclosure, is Amazon Rekognition Face Liveness, a cloud-based service from Amazon Web Services. The tool confirms that a user is a real, live human being and not a photograph, deepfake, or spoofed image. X’s choice of this technology suggests the company intends this feature as serious identity verification, not a casual convenience tool like a fingerprint unlock.
X’s war on bots reaches a new level
Musk has made fighting bots and fake accounts a central mission since acquiring Twitter in 2022. X has already rolled out paid verification tiers and phone number requirements to introduce friction into account creation. Biometric authentication would represent a dramatic escalation of that effort.
Facial liveness detection is genuinely hard to fake at scale. Requiring it could make mass bot creation far more expensive and technically complex. Advertisers and creators who have long complained about inflated engagement metrics driven by fake accounts could find that prospect very appealing.
But the question the leaked strings raise is about scope and the language leaves little room for ambiguity. Phrases like “Biometric authentication required” and “Verify your identity to continue using X” do not describe an opt-in enhancement. They describe a wall.
Privacy advocates and regulators will have questions
Biometric data (facial geometry in particular) sits at the top of the sensitivity scale for personal information. Unlike passwords, users cannot reset it if something goes wrong. Unlike a phone number, their own physical body generates it.
A private social media company holding or processing facial data for hundreds of millions of users is a scenario that privacy advocates, regulators, and civil liberties organizations will challenge aggressively.
The European Union already imposes strict limits on biometric data processing under GDPR. In the United States, Illinois enforces one of the toughest biometric privacy laws in the country, carrying significant financial penalties for violations. Other states are actively moving in the same direction.
X has made no official announcement about this feature, and leaked code strings do not guarantee a public release. Developers frequently test features internally before shelving or reworking them entirely.
What the strings do confirm, however, is that X is thinking seriously about tying platform access to your face. Whether users hand it over, and whether regulators allow it, remains the bigger story.
Meanwhile, Google’s ‘Results About You’ tool offers a different path, letting users remove their sensitive information from search results entirely, giving individuals control over their digital footprint without requiring them to trust a platform with their biometric data.
