Don’t look now, but Pixel 4’s Face Unlock works with eyes closed

Does it matter that Google’s Pixel 4 ‘Face Unlock’ works even if the owner has their eyes closed?

For those who’ve never encountered it, the Pixel’s proprietary Face Unlock works by enrolling a model of the user’s face, which is securely stored on a chip inside the phone.

It’s a rival to Apple Face ID, which appeared two years ago in the iPhone X. Google is so confident with the security this technology offers, it even ditched the fingerprint sensor alternative used on older products.

But a BBC reporter has discovered a potential issue – Face Unlock works when the user has his or her eyes closed, for example, when they’re asleep.

Google doesn’t have to confirm this because it’s already on the Pixel 4’s help pages:

Your phone can also be unlocked by someone else if it’s held up to your face, even if your eyes are closed. Keep your phone in a safe place, like your front pocket or handbag.

To spell it out, the risk here is that someone might get hold of a device and unlock it by holding the screen to the face of its sleeping or unconscious owner.

Now you see it

However, according to the BBC, images of the Pixel 4 leaked before it launched included a “require eyes to be open” setting in the setup menu, which disappeared when the product was sent for review.

It seems Google thought about adding this requirement but decided not to for reasons that aren’t clear.

It’s the sort of problem that might not be a problem at all, depending on your point of view.

Fix promised

Google told ZDNet that it plans to fix the issue discovered by the BBC within months, without being more specific. In the meantime, the company recommends using a PIN or an unlock pattern.

Or, to put it another way, don’t use Face Unlock until the fix arrives if you’re worried about it being abused in limited circumstances.

But why have it at all then? As well as keeping up with Apple, it’s also likely that, like Apple, Google sees facial recognition as a potential second factor to use as a way of authenticating transactions, something it would like people to use their phones to do.

Coincidentally, Samsung is having problems this week with its embedded fingerprint reader, which it turns out can be bypassed using a simple gel screen protector.

Biometric authentication is turning out to be a rocky road where big companies find themselves regularly tripping over small stones.