Skip to main content

Google’s Pixel 4 face unlock has one major privacy weakness

Google’s Pixel 4 face unlock has one major privacy weakness

/

You might want to get familiar with Android’s lockdown feature

Share this story

Photo by Vjeran Pavic / The Verge

Google came up with its own face unlock system for the Pixel 4 and 4 XL using those advanced sensors in the phone’s top bezel. The technology behind it is similar to Apple’s Face ID, and aside from just letting you into your phone, Google believes face unlock is secure enough to serve as an authentication method across Android. (There’s no more fingerprint sensor on the Pixel 4, remember.) And it’s very fast. But BBC News reporter Chris Fox has noticed an alarming privacy concern with Google’s face unlock: it works even if your eyes are fully closed.

A support page about face unlock directly confirms as much. “Your phone can also be unlocked by someone else if it’s held up to your face, even if your eyes are closed,” the page reads. “Keep your phone in a safe place, like your front pocket or handbag.” You’ll want to follow that advice at night since face unlock would also work if you’re sound asleep.

This is a risk factor that iPhones don’t share. By default, Apple’s Face ID requires attention — meaning your eyes need to be open and actively looking at the iPhone or iPad Pro screen — to successfully unlock a device. This setting, which Apple says is an added security measure, can be disabled in settings if a customer so chooses. But Apple clearly states that “requiring attention makes Face ID more secure.”

For the Pixel 4, there’s no such option — not yet, at least. There’s evidence that Google is working on it. Among the countless Pixel 4 leaks, you might’ve missed a photo of this screen with an option to “require eyes to be open” for face unlock to work.

However, according to Fox, this toggle is not present on the Pixel 4’s software that will ship to consumers next week. When reached by The Verge, Google didn’t say one way or the other whether this added layer of security is definitely coming. “We don’t have anything specific to announce regarding future features or timing, but like most of our products, this feature is designed to get better over time with future software updates,” a spokesperson said by email.

Maybe you’re wondering why this matters. Well, aside from snooping friends or partners, the Pixel 4’s face unlock (in its current state) could make it easier for authorities to unlock a seized device without the owner’s permission. If all it takes is pointing the phone at your face, that’s not great.

But there is one way Pixel 4 buyers can prevent that possibility until Google rolls out a fix.

Google is reminding customers about Android’s lockdown function, which completely disables biometric authentication and will only unlock a phone if and when the PIN is entered. Lockdown can now be added directly to the power menu options on Pixel phones for fast access if you find yourself in a situation where you urgently need to thwart prying eyes — like so:

iOS has a similarly quick trick: you can just hold down the power button and one of the volume buttons until you see the power down menu (or feel a vibration if you’re not looking at the phone), after which Face ID is temporarily disabled until the PIN is entered.

Here’s how to add a shortcut for lockdown to your power options in Android 10, which is what the Pixel 4 ships with:

  • Open settings
  • Choose Display
  • Expand the “Advanced” section at the bottom
  • Tap on “Lock screen display”
  • Enable “Show lockdown option”

Aside from disabling face unlock, lockdown also turns off smart lock (so your trusted Bluetooth devices won’t unlock the phone if they’re still on you) and hides notifications from the lock screen.