I was a bit surprised by how willing the tech press was to believe that Google’s Pixel 4 Face Unlock is somehow as secure as Face ID. That’s not true now. And it’s not true until independent third-party security experts assess the feature.
But one controversy at a time. Let’s address the “now” part, since very few people, an no security experts, have a Pixel 4 at this time.
Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!
"*" indicates required fields
Last week, a Google support document invited the unwelcome possibility that someone else could unlock their phone simply by holding it in front of the user’s sleeping face. At the time, Google seemed a bit surprised by the concern, which it should have anticipated. And when asked about the problem, it simply said that the feature was designed to get better over time and would.
Still, the bloggers and influencers who were invited to the Pixel 4 launch event almost universally cited as fact that Face Unlock was somehow as secure as Apple’s Face ID feature, which has been proven in the real world and has materially improved over time, especially in performance.
Fortunately, the outcry from potential customers triggered a more substantive reply from Google.
“We’ve been working on an option for users to require their eyes to be open to unlock the phone, which will be delivered in a software update in the coming months,” a Google statement explains. “In the meantime, if any Pixel 4 users are concerned that someone may take their phone and try to unlock it while their eyes are closed, they can activate a security feature that requires a PIN, pattern, or password for the next unlock. Pixel 4 face unlock meets the security requirements as a strong biometric, and can be used for payments and app authentication, including banking apps. It is resilient against invalid unlock attempts via other means, like with masks.”
According to Google, Face Unlock “creates a model of your face, and that model is stored in Pixel’s security chip on the device.” But the trouble comes in the details, as Google also notes that “Looking at your phone can unlock it even when you don’t intend to. Your phone can be unlocked by someone who looks a lot like you, like an identical sibling. [And] your phone can also be unlocked by someone else if it’s held up to your face, even if your eyes are closed.”
That last line, of course, triggered the current and avoidable controversy.
<blockquote><em><a href="#482427">In reply to yoshi:</a></em></blockquote><p><br></p><p>The distinction is opt-out option and opt-in option.</p><p><br></p><p>The former (Apple’s implementation) is better for security while the latter is where Google is going — AFTER stupidly not even providing either option.</p>
<blockquote><em><a href="#482432">In reply to Winner:</a></em></blockquote><p><br></p><p>why? A fingerprint sensor has the same glaring weakness except that you can’t shut off your fingerprint like you can your attention.</p>