FaceID is very secure - and is significantly more secure than any credential that can be observed by an onlooker, captured by technical means when being used, or "given away" either deliberately or through social manipulation. However, biometric authentication is intentionally disabled in specific circumstances.
Your Passcode is indirectly responsible for much more than just unlocking your iPad. Without delving deeply into the device and iOS/iPadOS software security architectures, this being a complex topic beyond the immediate scope of this reply, perhaps suffice to say that the device Passcode unlocks the iPad's Secure Enclave (the iPad's security chip) within which cryptographic keys (required to decrypt data locally stored on the iPad) and the biometric data used by FaceID and TouchID. Until the iPad is initially unlocked, such as after restarting the iPad, biometric authentication is intentionally not enabled.
As documented by Apple in its Security Guide, for devices with TouchID or FaceID enabled, you device Passcode is required in the following circumstances…
A passcode or password is also required if the device is in any of the following states:
• The device has just been turned on or restarted
• The user has logged out of their Mac account (or hasn’t yet logged in).
• The user hasn’t unlocked their device for more than 48 hours.
• The user hasn’t used their passcode or password to unlock their device for 156 hours (six and a half days), and the user hasn’t used a biometric to unlock their device in
4 hours.
• The device has received a remote lock command
• The user exited power off / Emergency SOS by pressing and holding either volume button and the Sleep/Wake button simultaneously for 2 seconds and then pressing Cancel.
• There were five unsuccessful biometric match attempts (though for usability, the device might offer entering a passcode or password instead of using biometrics after a smaller number of failures).
When Face ID with a mask is enabled on an iPhone, it’s available for the next 6.5 hours after one of the following user actions:
• Successful Face ID match attempt (with or without a mask)
• Device passcode validation
• Device unlock with Apple Watch
Any of these actions extends the period by an additional 6.5 hours when performed.
The core security aspects of iOS/iPadOS cannot be altered by changing security settings. While you can choose to delete the Passcode from your iPad, this action will disable not only the Passcode, but also the Secure Enclave and all security functionality associated with it.
