Skip to content
Naked Security Naked Security

Don’t look now, but Pixel 4’s Face Unlock works with eyes closed

There's a risk that someone might get hold of a device and unlock it by holding the screen to the face of its sleeping or unconscious owner.

Does it matter that Google’s Pixel 4 ‘Face Unlock’ works even if the owner has their eyes closed?

For those who’ve never encountered it, the Pixel’s proprietary Face Unlock works by enrolling a model of the user’s face, which is securely stored on a chip inside the phone.

It’s a rival to Apple Face ID, which appeared two years ago in the iPhone X. Google is so confident with the security this technology offers, it even ditched the fingerprint sensor alternative used on older products.

But a BBC reporter has discovered a potential issue – Face Unlock works when the user has his or her eyes closed, for example, when they’re asleep.

Google doesn’t have to confirm this because it’s already on the Pixel 4’s help pages:

Your phone can also be unlocked by someone else if it’s held up to your face, even if your eyes are closed. Keep your phone in a safe place, like your front pocket or handbag.

To spell it out, the risk here is that someone might get hold of a device and unlock it by holding the screen to the face of its sleeping or unconscious owner.

Now you see it

However, according to the BBC, images of the Pixel 4 leaked before it launched included a “require eyes to be open” setting in the setup menu, which disappeared when the product was sent for review.

It seems Google thought about adding this requirement but decided not to for reasons that aren’t clear.

It’s the sort of problem that might not be a problem at all, depending on your point of view.

Fix promised

Google told ZDNet that it plans to fix the issue discovered by the BBC within months, without being more specific. In the meantime, the company recommends using a PIN or an unlock pattern.

Or, to put it another way, don’t use Face Unlock until the fix arrives if you’re worried about it being abused in limited circumstances.

But why have it at all then? As well as keeping up with Apple, it’s also likely that, like Apple, Google sees facial recognition as a potential second factor to use as a way of authenticating transactions, something it would like people to use their phones to do.

Coincidentally, Samsung is having problems this week with its embedded fingerprint reader, which it turns out can be bypassed using a simple gel screen protector.

Biometric authentication is turning out to be a rocky road where big companies find themselves regularly tripping over small stones.

4 Comments

Easily fixed. Just go to settings and check “Check vital signs” , “Check brain activity”, and “Enable blood alcohol threshold validation” check boxes.

Face unlock as the method of unlocking surely also has the weakness that a third party who coerces the phone user to hand over the phone only has to point it at the user’s face to unlock it.

This could be the knifepoint mugger who takes your phone or perhaps the immigration officer or police officer who is checking the user.

In the case of the mugger, face unlock being the authentication method for a banking app gives them ready access to that as well as your data.

As there is no fingerprint reader it seems the only alternative lock is a pin or pattern.

This appears a retrograde feature.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?