Google has delivered a sophisticated biometric security feature in its latest Pixel smartphones, but it has a glaring potential flaw: the devices’ Face Unlock system can authenticate a user even if they’re eyes are closed.
The Pixel 4 and Pixel 4 XL‘s Face Unlock system is otherwise pretty impressive. Taking a cue from Apple, Google has developed a 3D face scanning system, enabled by its Soli radar sensor chip. Three-dimensional face scanning is generally considered more secure than conventional 2D facial recognition, given the extra dimension of data and the increased difficulty it presents to hackers who might try to spoof such a system. And early reports suggest that Google’s Face Unlock is extremely fast, opening up an authorized user’s device almost instantly.
Enabling such functionality when the user’s eyes are closed, however, presents a problem. It means that a malicious actor could potentially unlock a device just by pointing it at an unsuspecting user’s face when they’re asleep, to name a more benign example of a potential threat. That’s why, with its Face ID system on the iPhone, Apple developed an ‘attention aware’ feature that can tell if a user is actually looking at a given device.
The omission of such a feature from Google’s newest flagship phones is somewhat puzzling given that early leaks suggested that the Pixel 4’s software included a “Require eyes to be open” option in its settings. And Google is well aware of the security risks, noting on its support website, “Your phone can also be unlocked by someone else if it’s held up to your face, even if your eyes are closed.”
There is one solution available to users. A “lockdown” mode disables facial recognition for authentication, presumably letting the user access their device with a PIN. But, as many security experts will explain, the whole point of biometric authentication is that it’s more secure than a password or PIN.
For its part, Google said in a statement that it “will continue to improve Face Unlock over time,” possibly hinting that an ‘attention aware’ feature of its own is in the pipeline.
(Originally posted on Mobile ID World)