More than 2 years after Apple launched the iPhone X with Face ID, Google has also gone all-in with face unlock on the Pixel 4 and Pixel 4 XL. Google uses similar hardware as Face ID for face unlock on Pixel 4 but on a technical level, it works slightly differently which makes it faster than Face ID. As it turns out though, there is a major security issue with face unlock on the Pixel 4.
Face unlock on the Pixel 4 and Pixel 4 XL will successfully unlock the device when you are sleeping or your eyes are closed. It will also work when you are dead. That does not really make the feature much secure than regular face unlock on Android smartphones that solely relies on the front camera. It also makes face unlock on the Pixel 4 series notably inferior to Face ID on the iPhone X/XS and iPhone 11 series.
— Chris Fox (@thisisFoxx) October 15, 2019
Face ID requires that a user’s eyes are open before it will unlock the device. In fact, by default Face ID also requires that you are looking at the display to unlock your device. Apple does offer an option to toggle this feature off to improve the unlock times but even then, it requires that the user’s eyes are open.
Currently, there is no option on the Pixel 4 that requires the user’s eyes to be open during face unlock. Surprisingly, this feature was present in the internal builds of Android 10 running on the phone that had leaked in the wild before its announcement.
The Pixel 4 series only offers face unlock as a biometric authentication method. Apart from unlocking the phone, face unlock is also used for authorizing Google Pay transactions meaning this security lapse can have major implications. Google will likely improve the security of its face unlocking mechanism and add an option that requires the user’s eyes to be open with a future software update for the Pixel 4 series.
Incidentally, a major security vulnerability with the Samsung Galaxy S10’s in-display fingerprint scanner was also reported less than 24 hours ago. It is funny to see Android OEMs struggle to implement biometric authentication on their devices properly even after so many years while Apple nailed it the very first time around.