Google’s recently announced Pixel 4 has a new biometric feature—well, new for Google, at least—face unlock. Like most new biometric systems, that means we’ll probably be writing about security flaws in its implementation, and the first one has already popped up before the phone is even out. You don’t need to have your eyes open for the Pixel 4’s face unlock to work.
The flaw was first publicized by the BBC’s technology reporter, Chris Fox, who was able to get face unlock to work on several people with their eyes closed.
The thing about biometrics versus a password or PIN is that having to enter data via a keyboard is a pretty good indicator of consent. You’re conscious, you’re recalling this secret information, and you’re typing it into the phone. You’re at least aware of what’s going on. Biometrics, on the other hand, are something other people can do for you, or The easiest example is pointing a phone at a sleeping person to unlock it. You could also lift a person’s finger and put it on a fingerprint reader, but at least you have to touch the victim to do that. There’s a real lack of consent and awareness when you can just point the phone at an unconscious person.
Fox gives a great video example on Twitter:
— Chris Fox (@thisisFoxx) October 15, 2019
Other face lock systems, like Apple’s Face ID, have an alertness check that looks for open eyes. Even Google’s old face unlock system for Android 4.1 required you to blink if your head seemed stationary.
Early versions of the Pixel 4 face unlock settings had a checkbox to “Require eyes to be open,” but that is not present on review units or the shipping version. The BBC confirmed with Google that the current, eyes-closed implementation is what will ship to consumers. Google says it will “continue to improve Face Unlock over time.” There is no fingerprint reader on the Pixel 4, so face unlock is the only biometric option.