Affiliate links on Android Authority may earn us a commission. Learn more.
Google’s Pixel 4 launches with face unlock security flaw (Update: Fix coming)
Update, October 21 2019 (2:25AM ET): Google has confirmed to The Verge that it’s working on an eye detection toggle for the Pixel 4’s face unlock feature.
Google told the outlet that the toggle will be available via a software update in “the coming months.” This means Pixel 4 users will likely be in for a long wait until the feature comes to their devices.
The eye detection toggle is a key way to make the Pixel 4’s face unlock more secure, as users will need to be awake and looking at the phone in order for the device to be unlocked. Right now, the Pixel 4 face unlock will authenticate someone’s face if they’re sleeping, opening the door for abuse.
Original article, October 17 2019 (4:40PM ET): Google’s Pixel 4 line launched only a couple of days ago, and a major issue with the devices’ face unlock feature has already been discovered. First spotted by BBC, users can unlock the Pixel 4 using the biometric face unlock even if their eyes are closed.
This is, for obvious reasons, a privacy concern. It allows attackers or authorities to more easily gain access to a person’s device without their permission. Whether the user is asleep or restrained, the Pixel 4 only needs to be raised toward their face for someone to gain access.
When BBC reached out to Google for comment, the company verified that this is how the Pixel 4’s face unlock security functionality works on its final software. Google’s face unlock support page also confirms this. The support page even warns users to keep their device in a safe place to avoid this type of attack and reminds them of Android’s lockdown functionality, which disables biometric unlocking so the device can only be unlocked with a PIN.
The fact that Google is allowing this type of security access through face unlock is surprising, especially since last month’s leaks from Nextrift revealed a “Require eyes to be open” toggle switch, pictured above. This, however, was likely pre-release software on a prototype device. Android Authority has confirmed that this toggle switch is not present on either of its review units.
Android 10‘s code even has built-in support for it, yet it isn’t in the final software. Google very well could release this functionality eventually, but for early adopters, the current state of the Pixel 4 face unlock remains a significant security issue.
When asked about the face unlock feature, Google told Android Authority:
Pixel 4 face unlock meets the security requirements as a strong biometric, and can be used for payments and app authentication, including banking apps. It is resilient against unlock attempts via other means, like with masks. If you want to temporarily disable face unlock, you can use lockdown mode to temporarily require a PIN/pattern/password.We don’t have anything specific to announce regarding future capabilities, but like most of our products, this feature is designed to get better over time with software updates.
We will update this article as we learn more about the Pixel 4’s face unlock system.