The facial authentication system in Google’s latest Pixel 4 line of smartphones can be easily defeated because the face unlock feature works even if the user’s eyes are completely shut.
Chris Fox, writing for BBC News:
BBC Google has confirmed the Pixel 4 smartphone’s face unlock system can allow access to a person’s device even if they have their eyes closed. One security expert said it was a significant problem that could allow unauthorized access to the device. By comparison, Apple’s Face ID system checks the user is ‘alert’ and looking at the phone before unlocking.
By default, Face ID unlocks your iPhone only when your eyes are open and you’re looking directly at the screen. The user can optionally turn attention awareness off in Face ID accessibility settings, which lets you unlock your iPhone without necessarily needing to stare at its display but also reduces security.
— Chris Fox (@thisisFoxx) October 15, 2019
Whereas Face ID uses attention awareness by default, Google’s default setting makes it possible to unlock the phone even if the user pretended to be asleep. There’s no other setting to boost the security of Pixel 4’s facial unlock or a switch to turn on attention awareness.
Google said in a statement to BBC that it would continue to improve face unlock over time, but security experts warn that Google’s current implementation leaves users at risk: “If someone can unlock your phone while you’re asleep, it’s a big security problem,” said security blogger Graham Cluley. “Someone unauthorized – a child or partner? – could unlock the phone without your permission by putting it in front of your face while you’re asleep.”
Google actually argued that its system is as secure as Apple’s:
Pixel 4 face unlock meets the security requirements as a strong biometric. There are actually only two face authorization solutions that meet the bar for being super-secure. So, you know, for payments, that level – it’s ours and Apple’s.
Looks like it’s still only Apple.
In early leaks of the Pixel 4, screenshots revealed a ‘require eyes to be open’ setting for face unlock, so it looks as if Google tried to implement a similar feature to Apple’s Attention Aware, but couldn’t get it working in time for the device’s launch.
Interestingly enough, a Google support document acknowledges that Pixel 4 can in fact be unlocked by someone else if it’s held up to the user’s face, even if their eyes are closed.
“Keep your phone in a safe place, like your front pocket or handbag,” the company cautions. The Internet giant also acknowledges that looking at your phone can unlock it even when you don’t intend to (!) and that phone unlock also works with other people who look “a lot” like the device owner, such as an identical sibling (a problem that also plagues Face ID).
To be safe, the user can put the phone in lockdown mode which, aside from other things, disables face unlock (Apple offers a similar feature that disables Face ID until you enter your passcode).
On a similar note, the ultrasonic fingerprint reader positioned under the display of Samsung’s latest Galaxy S10 permits the phone to be unlocked with any fingerprint, not just the one registered to actually unlock the handset during setup.
Samsung has chalked up this to a software bug, promising a fix soon.
Is Face ID still the most reliable facial unlock system for smartphones, would you say?
Let us know by leaving a comment down below.