Google has switched from a fingerprint reader to an Apple-style "face unlock" system on its new Pixel 4, but it seems that Google may not have taken the same extra steps when it comes to customer security and privacy that Apple did. While the iPhone (by default) needs you to have your eyes open for Face ID to work in what it calls an "attention" requirement, Google's system is happy to unlock your phone even with your eyes closed.
— Chris Fox (@thisisFoxx) October 15, 2019
Google's support documentation may not be the most accurate these days, but even it is clear about the privacy implications of using the company's new face unlock system, explicitly stating in a disclaimer that "your phone can also be unlocked by someone else if it’s held up to your face, even if your eyes are closed."
Apple's recent iPhones, which also support a facial recognition security system called Face ID, require by default that your eyes be open in what it calls an "Attention Aware" feature. Although it can be disabled for your convenience should you choose, the default setting is to enhance your security by requiring that your eyes be open and looking at the phone, so it shouldn't work while you're sleeping or otherwise unaware of what is occurring.
Extra "require eyes to be open" setting found for Google's face unlock in earlier leaks.
Ensuring that you're awake, aware, and actively intending to unlock the device seems like an obvious step to take for security if it's an option, but for whatever reason, Google seems to have decided not to implement it. Previously, Pixel 4 leaks showed an additional "require eyes to be open" setting for face unlock, though we can confirm that specific option is not present on the Pixel 4 as of now, and Google has also informed the BBC that the setting won't be present when the Pixel 4 is released.
In the meantime, prospective Pixel 4 owners will need to remember that closing your eyes won't protect you from this:
His girl was really committed to cracking his Face ID... pic.twitter.com/FSEwPzsamN
— Guy (@apiecebyguy) September 23, 2019
Following this little snafu, Google has reached out to let us know it plans on addressing the potential issue in a future update, adding an option that will require users have their eyes open to unlock the Pixel 4 via face unlock. Even without the feature, Google believes its solution meets security requirements for its customers, with pin-, pattern-, and password-based alternatives available for those that need improved security.
The company's full statement is just below:
We’ve been working on an option for users to require their eyes to be open to unlock the phone, which will be delivered in a software update in the coming months. In the meantime, if any Pixel 4 users are concerned that someone may take their phone and try to unlock it while their eyes are closed, they can activate a security feature that requires a pin, pattern or password for the next unlock. Pixel 4 face unlock meets the security requirements as a strong biometric, and can be used for payments and app authentication, including banking apps. It is resilient against invalid unlock attempts via other means, like with masks.