The Pixel 4s face unlock works on sleeping, unconscious people

 arstechnica.com  10/18/2019 16:25:11  3  Ron Amadeo
  • The back of this one is white.
  • Normally the forehead is jet black, but if you blast it with light, you can see all the sensors inside.
  • The bottom has one of the stereo speakers.
  • Here you can see the camera bump.
  • The other side has this colorful power button.
  • The new Google Assistant has this multi-colored design at the bottom.

Google's recently announced Pixel 4 has a new biometric featurewell, new for Google, at leastface unlock. Like most new biometric systems, that means we'll probably be writing about security flaws in its implementation, and the first one has already popped up before the phone is even out. You don't need to have your eyes open for the Pixel 4's face unlock to work.The flaw was first publicized by the BBC's technology reporter, Chris Fox, who was able to get face unlock to work on several people with their eyes closed.

The thing about biometrics versus a password or PIN is that having to enter data via a keyboard is a pretty good indicator of consent. You're conscious, you're recalling this secret information, and you're typing it into the phone. You're at least aware of what's going on. Biometrics, on the other hand, are something other people can do for you, ortoyou.The easiest example is pointing a phone at a sleeping person to unlock it. You could also lift a person's finger and put it on a fingerprint reader, but at least you have to touch the victim to do that. There's a real lack of consent and awareness when you can just point the phone at an unconscious person.

Fox gives a great video example on Twitter:

Proof, for those asking #madebygoogle #pixel4 pic.twitter.com/mBDJphVpfB

 Chris Fox (@thisisFoxx) October 15, 2019

Other face lock systems, like Apple's Face ID, have an alertness check that looks for open eyes. Even Google's old face unlock system for Android 4.1 required you to blinkif your head seemed stationary.

Early versions of the Pixel 4 face unlock settings had a checkbox to "Require eyes to be open," but that is not present on review units or the shipping version. The BBC confirmed with Google that the current, eyes-closed implementation is what will ship to consumers. Google says it will "continue to improve Face Unlock over time." There is no fingerprint reader on the Pixel 4, so face unlock is the only biometric option.

If you are worried about having the phone unlocked without your consent, you can either not use face unlock at all, or turn on the "lockdown" option in the power menu, which will disable face unlock temporarily. The lockdown button is off by default, but you can enable the button by searching for "lockdown" in the system settings.

Listing image by Google

« Go back