“Months” isn’t good enough for a Pixel 4 face unlock fix

Chris Davies - Oct 21, 2019, 12:50pm CDT
“Months” isn’t good enough for a Pixel 4 face unlock fix

Google will update its face unlock system so that the Pixel 4’s security can’t be bypassed even when owners are asleep, but don’t expect that to happen any time soon. The new Android smartphone does away with the fingerprint sensor of its predecessors in favor of a new, ultra-fast face unlock, but the security tech hasn’t quite lived up to expectations.

You can’t complain about its speed, certainly. Combined with the Motion Sense system based on Google’s Soli radar sensor, the Pixel 4 starts to wake as soon as your hand approaches. By the time I’ve lifted it upright, the cameras in the upper bezel have recognized my face and you’re at the home screen.

Problem is, that can happen whether you’re intending to unlock your Pixel 4 or fast asleep at the time. Unlike Face ID on the iPhone 11 Pro, for example, Android doesn’t have any sort of attention tracking. Whereas my iPhone won’t unlock for me until I’m actively looking at it, the Pixel 4 will.

Early leaks of the Pixel 4 suggested Google’s system would operate differently. Screenshots showed there’d be a setting where face unlock would “require eyes to be open” before granting access to the phone, thus preventing someone from simply holding your locked Pixel 4 up to your face while you snooze and then getting their hands on your data. When the Pixel 4 actually arrived, however, that option was no longer there.

Now, Google says that it’s working to restore the setting. “We’ve been working on an option for users to require their eyes to be open to unlock the phone, which will be delivered in a software update in the coming months,” the company confirmed to Ars Technica. “In the meantime, if any Pixel 4 users are concerned that someone may take their phone and try to unlock it while their eyes are closed, they can activate a security feature that requires a pin, pattern or password for the next unlock.”

Google also highlighted that the system is resilient in other ways. “Pixel 4 face unlock meets the security requirements as a strong biometric, and can be used for payments and app authentication, including banking apps,” it pointed out. “It is resilient against invalid unlock attempts via other means, like with masks.”

The Pixel 4 does warn users in the face unlock settings that it won’t take into consideration whether their eyes are open or closed. “Looking at the phone can unlock it when you don’t intend to,” Google explains. “Your phone can be unlocked by someone else if it’s held up to your face, even if your eyes are closed.” The same warning is shown when you first set the phone up, before you turn face unlock on.

I can’t fault Google’s messaging – though I suspect, like with terms of service, most people hit “Next” without reading the small-print – but I do question the wisdom of releasing face unlock at all without what I’d consider to be an essential element of security. Without a fingerprint reader to fall back on, users concerned by this attention omission are left either using a PIN or passcode, or no lock at all.

Security works best when it’s seamless. One big reason for that is the fact that people are pretty lazy, even when it comes to something as serious as locking down the device that’s at the center of most of their digital life. Anything that dissuades Pixel 4 users from turning on the most stringent security on their phone is a problem, and Google’s commitment to patch what seems a pretty obvious loophole in “months” is, frankly, an underwhelming response.

Must Read Bits & Bytes