Pixel 4 Face Unlock to (Eventually) Require Open Eyes

Posted on October 21, 2019 by Paul Thurrott in Google, Mobile, Android with 27 Comments

I was a bit surprised by how willing the tech press was to believe that Google’s Pixel 4 Face Unlock is somehow as secure as Face ID. That’s not true now. And it’s not true until independent third-party security experts assess the feature.

But one controversy at a time. Let’s address the “now” part, since very few people, an no security experts, have a Pixel 4 at this time.

Last week, a Google support document invited the unwelcome possibility that someone else could unlock their phone simply by holding it in front of the user’s sleeping face. At the time, Google seemed a bit surprised by the concern, which it should have anticipated. And when asked about the problem, it simply said that the feature was designed to get better over time and would.

Still, the bloggers and influencers who were invited to the Pixel 4 launch event almost universally cited as fact that Face Unlock was somehow as secure as Apple’s Face ID feature, which has been proven in the real world and has materially improved over time, especially in performance.

Fortunately, the outcry from potential customers triggered a more substantive reply from Google.

“We’ve been working on an option for users to require their eyes to be open to unlock the phone, which will be delivered in a software update in the coming months,” a Google statement explains. “In the meantime, if any Pixel 4 users are concerned that someone may take their phone and try to unlock it while their eyes are closed, they can activate a security feature that requires a PIN, pattern, or password for the next unlock. Pixel 4 face unlock meets the security requirements as a strong biometric, and can be used for payments and app authentication, including banking apps. It is resilient against invalid unlock attempts via other means, like with masks.”

According to Google, Face Unlock “creates a model of your face, and that model is stored in Pixel’s security chip on the device.” But the trouble comes in the details, as Google also notes that “Looking at your phone can unlock it even when you don’t intend to. Your phone can be unlocked by someone who looks a lot like you, like an identical sibling. [And] your phone can also be unlocked by someone else if it’s held up to your face, even if your eyes are closed.”

That last line, of course, triggered the current and avoidable controversy.

Tagged with ,

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (27)

27 responses to “Pixel 4 Face Unlock to (Eventually) Require Open Eyes”

  1. wright_is

    Leo on TWiT on Sunday held his hand before his guest's eyes as she tried to unlock her Pixel 4, even with his hand in front of her face it unlocked... I only heard it on the podcast this morning on the way to work, I haven't seen the video of the incident.

    • torsampo

      In reply to wright_is:

      I saw the segment on Twit. Flo held the phone up to her face (it unlocked very quickly). She continued to hold the phone up to her face while Leo put his hand over her eyes. She appeared to hit the power button then immediately declared it was unlocked. It was not a clear that the phone was actually re-locked because she never took the phone awary from her face. Also, the angle of the phone was low enough and Leo's hand far enough from her face that it maybe still saw enough of her face to unlock even it was locked (as I understand Pixel face unlock is generous with angles). I don't have a Pixel 4 so can't test myself, but I would not use the bit on Twit as a measure- it was chaotic and haphazard and not an actual test of anything.

      • wolters

        In reply to torsampo:

        I'm not a fan of Flo at all but like you, will see how the upcoming real world reviews show this happening (or not happening)...I look forward to Paul's trusted review.

    • torsampo

      In reply to wright_is:

      My Pixel 4 arrived today and it does not unlock if i cover my eyes with my hand.

  2. DaddyBrownJr

    OMG. Someone can unlock my Pixel XL using the fingerprint reader while I'm asleep!

  3. nicholas_kathrein

    So lets go to the marketing meeting where they decided to do this. I know Apple has the same meetings because their marketing teams actually have a huge part in picking features of new hardware and software.

    Marketing says " You now have something like face id?"

    Engineer says " Yup!"

    Marketing says "Anything that I should know about anything that could make people not like it?"

    Engineer says " Well its really fast and maybe faster than Apple's but only if we don't look for peoples eyes open."

    Marketing says "Why is that?"

    Engineer says " Well if your not looking for eyes then it will unlock at more angles and more quickly. It's still as secure as Apple's if you turn their check off for eyes off."

    Marketing says "Ok, we'll release it without that feature. If we are lucky everyone gets impressed by how fast it open and by the time this is brought up will just say that feature is coming."

  4. madthinus

    Hey, at least Google is consistant: They gave the same care for your privacy as they do in all of their products in this one.

  5. Winner

    Gee, perhaps a fingerprint sensor is a better idea.

    • BrianEricFord

      In reply to Winner:

      why? A fingerprint sensor has the same glaring weakness except that you can’t shut off your fingerprint like you can your attention.

      • Winner

        In reply to BrianEricFord:

        I was just thinking that if you held a phone where it could see a face with closed eyes (the Pixel "weakness", you could certainly hold a stolen iPhone where it pointed at a face with open eyes. The FP sensor requires actual physical contact. But of course that can be done in an undesired way, too.

  6. dcdevito

    Nothing Google delivers after the fact has ever been fully corrected or adjusted, based on personal experience. I bet this never gets fully solved. With Google the real fix is in the next phone.

  7. Daekar

    They're going to release the OPTION for the requirement that your eyes be open? Seriously?

    Google, this is the crap that drives me up the wall and makes me want to buy an iPhone. Just own up to the fact that you overlooked that problem and fix it.

    • yoshi

      In reply to Daekar:

      To be fair, it's also an option on iPhone. It's just turned on by default.

      • Jeffsters

        In reply to yoshi:

        To be fair? Apple’s version works! The option to turn it off is for some outlier cases such as those who may have physical disabilities or, like my brother, facial deformities. How about if this has been Apple? This place would be burning with self-righteousness and Apple haters bashing. Fair? Here? Please!

        • yoshi

          In reply to Jeffsters:

          What? Daekar is complaining that it will be an option on the Pixel. That's all I was replying to. That it's also an option on iPhone.

          • BrianEricFord

            In reply to yoshi:

            The distinction is opt-out option and opt-in option.

            The former (Apple’s implementation) is better for security while the latter is where Google is going — AFTER stupidly not even providing either option.

            • jgraebner

              In reply to BrianEricFord:

              The various leaks showed this option, so I suspect it had a serious bug that Google didn't manage to fix before launch. They should have gotten ahead of this one by owning up the issue immediately, but I strongly suspect this will be fixed pretty quickly and that it will be the default setting once it is.

  8. torsampo

    I can't believe how many people - ahem, excuse me, tech pundits - are up in arms about this. Phone security is important and it's nice to see users will eventually get a choice in this matters. However, if someone is opening your phone while you sleep or trying to unlock your phone when you don't have possession of it (by the authorities, bad actors, etc) then you have much bigger problems. Trust issues with friends/spouses, legal issues, issues of physical threat- all of these seem to supersede "oh no you might get on to my phone". If locking down your phone is such an important issue to you, then don't rely on biometrics of any kind from any phone producer.

    • Vladimir Carli

      In reply to torsampo:

      I hope you are joking, or maybe you just live alone. This is a major design flaw. Any parent I know with teenage kids doesn’t want them to access their phone just waving it in front of them while they sleep

      • torsampo

        In reply to Vladimir:

        It is I who hope you are joking. I have two teenage kids and if I suspected that they would even consider breaking into my phone (for god knows what purpose) by sneaking up on me while i slept then I have much much bigger problems than a missing feature from face unlock. That's a pretty sad comment. I think the option should be there, perhaps even should have been there at launch but if you need it because you don't trust your own kids for even that little bit...I don't know of any parent in my circle of friends who would feel otherwise.

        If security is that important, even in your own home, then don't use biometrics on a Pixel or an iPhone.

      • SvenJ

        In reply to Vladimir: Really. All the teenagers where you live have that little integrity.

    • Jeffsters

      In reply to torsampo:

      My how our opinions on technology evolve depending upon platform. What was it you said about FaceID a year ago?

      • torsampo

        In reply to Jeffsters:

        You really need to settle down. I said I could envision it being a danger while driving a car and I questioned the wisdom of removing a proven biometric to be replaced with a version one biometric. Nothing I have said here contradicts that. If Google had announced Face Unlock 2 years ago and had removed the fingerprint reader I would have been just as skeptical, but this tech has had at least 2 years to mature so I no longer see it as an issue. And yes my opinion on face-based biometrics has evolved..but based on time and development not on platform. That should be obvious. You are just looking for a fight.

        • Jeffsters

          In reply to torsampo:

          No just calling out hypocrisy when I see it! You joined in with the FaceID detractors adding fuel to the fire. You look for fault on one while while now making excuses for the other. No fight just offering a reflective moment.

          • torsampo

            In reply to Jeffsters:

            In what way am I being hypocritical? I wasn't randomly spitting bile at Apple and FaceID. I was voicing a specific concerns about car use and dropping the fingerprint too early. It is not hypocritical to have reservations about being confined to a relatively new tech to unlock your phone and then TWO YEARS later to comment on a new iteration of that technology and whether some possible defect in the new iteration is important or not. One has nothing to do with the other. If I had said "this new face unlock is in no way dangerous while driving because its being made by Google" then you can call me a hypocrite. The fact is I still have some concerns about car use but Android's smart lock pairing with my car's bluetooth hopefully mitigates that with the Pixel 4. I won't know until I try it. Note that two years ago, I pointed out that if iOS had a similar feature it would make my concern moot. At the time I don't recall if anyone confirmed if this was something the iPhone could do (and I still don't know).

            This is a problem with discourse these days. Too frequently unless your opinion is 100% in line with your side's dogma then you are a traitor, hypocrite and enemy. Most argument and discussion deserves more a more nuanced reading than that.

    • wright_is

      In reply to torsampo:

      At the end of the day, biometrics aren't security, they are identity. If you want real security, use biometrics + a security method, like password, PIN, pattern, smartcard etc.

  9. harris0n

    Fingerprints also work when you're asleep.