In context: The Pixel 4 has not even released yet and someone has already found a security concern with the device. The face unlock feature seems to work even with the user's eyes closed. Someone could open it just by holding up to the owner's face.
Update (10/21/19): Google told TechSpot that it is working on adding and option for the user's eyes to be open when unlocking the phone, but that it is not quite ready. In the meantime, Pixel 4 owners can set the phone to lockdown, as we reported, if they have concerns.
Here is Google's full statement:
"We’ve been working on an option for users to require their eyes to be open to unlock the phone, which will be delivered in a software update in the coming months. In the meantime, if any Pixel 4 users are concerned that someone may take their phone and try to unlock it while their eyes are closed, they can activate a security feature that requires a pin, pattern or password for the next unlock. Pixel 4 face unlock meets the security requirements as a strong biometric, and can be used for payments and app authentication, including banking apps. It is resilient against invalid unlock attempts via other means, like with masks."
One of the Pixel 4 features that Google touted at its Made by Google event was its super-fast face unlock. Radar sensors respond to movement toward the phone and start the process so that it is ready to go as soon as you pick it up.
Pixel 4's face unlock system works similarly to Apple's Face ID, which has had its own problems. However, the BBC notes that an oversight in the functioning of the security feature allows the device to be unlocked even if the owner's eyes are closed. Comparatively, Face ID requires the user to be looking directly at the iPhone with eyes open.
Google admits in its support pages that the id method used is not perfect.
"Important: Looking at your phone can unlock it even when you don't intent to. Your phone can be unlocked by someone who looks a lot like you, like an identical sibling. Your phone can also be unlocked by someone else if it's held up to your face, even if your eyes are closed. Keep your phone in a safe place, like your front pocket or handbag."
There might not be many situations where this could be exploited, but someone could potentially unlock the Pixel 4 while users are asleep or incapacitated. Of course, in the latter case, they probably have worse things to worry about than their phone being breached.
Google's official fix is to enable "lockdown" if you are expecting to be in "unsafe" situations.
While Apple's Face ID requires the user's "attention," it can be disabled in settings. Doing so allows the iPhone to open even when the user's eyes are closed or if looking away. However, that option is off by default, and Apple suggests leaving it this way for ensured security.
For now, there is no way to mimic its competitor's security controls — at least not in the review units. However, a leaked photo shows a settings option to "require eyes to be open" when unlocking the phone (above). The BBC says that this toggle is not present in its device. Google has not been forthcoming with whether or not this added setting will be present in Pixel 4 devices when they ship out next week.
"We don't have anything specific to announce regarding future features or timing, but like most of our products, this feature is designed to get better over time with future software updates," a spokes person told The Verge.
Of course, any concerns of the weakness can be mitigated by disabling biometric authentication (lockdown). When Android is in lockdown mode, it can only be unlocked with the passcode. Lockdown is located in the main settings but can be added to the power-down menu in Android 10.
You can add the shortcut, by going to Settings > Display > Advanced > "Lock screen display," then enabling "Show lockdown option."