Google’s new Pixel 4 smartphone doesn’t have a fingerprint sensor. Instead it relies on “Face Unlock,” a proprietary facial scanning system similar to the one found in Apple’s Face ID. Early reports show a system that works well, perhaps too well, in fact, according to some security experts.
To unlock a Pixel, the operator must hold it up to their face while onboard cameras and sensors go to work scanning their mug for defining characteristics — the distance between your eyes, for example. Once the device is confident it’s you, it unlocks and allows you to access the operating system.
With Google’s system, according to the BBC, the Pixel’s Face Unlock function works even if a user’s eyes are closed, a clear and security risk for anyone with a Pixel 4. Using default settings, users who are asleep, or even dead, could unknowingly unlock their phone for others.
According to Google representatives, “Pixel 4 Face Unlock meets the security requirements as a strong biometric.” True, but this in and of itself might not be enough. At its launch, Pixel product manager Sherry Lin said, “There are actually only two face [authorization] solutions that meet the bar for being super-secure. So, you know, for payments, that level — it’s ours and Apple’s.”
With Apple’s Face ID, however, the system checks to ensure the user is “alert” and looking at the camera. That is to say, Apple reduces the chances for an accidental unlock by requiring the user to look in the general direction of the camera.
“If someone can unlock your phone while you’re asleep, it’s a big security problem,” cyber-security expert Graham Cluley told BBC. “Someone unauthorized — a child or partner? — could unlock the phone without your permission by putting it in front of your face while you’re asleep. I wouldn’t trust it to secure the private conversations and data on my phone.”
Google seems to be aware of the problem, stating on a Pixel 4 help page that: “Your phone can also be unlocked by someone else if it’s held up to your face, even if your eyes are closed.” Google encourages users to keep their phone in a safe place “like your front pocket or handbag” to reduce the likelihood of these events.
If you’re worried about it, you can always turn on “lockdown,” which disables features like notifications, and any of the phone’s authentication methods.