Google prepares face unlock fix for Pixel 4 that would require users’ eyes to be open

08 March 2020
One of the biggest criticisms of the Google Pixel’s Face Unlock feature was its insecure nature. It has been 5 months and we’re still waiting for a solution.

Sort by:

  • .
  • .alpha
  • ytx
  • 09 Mar 2020

Shows you how good Apple and Huawei's R&D department's software capability are vs Google.

    • ?
    • Anonymous
    • Y7u
    • 09 Mar 2020

    Anonymous, 07 Mar 2020We are using much more secure methods of unlocking our phon... moreWhether you want to admit it or not, 3D face unlock technology is way more secure than any other security method out there. And I'm pretty sure that the people buying these smartphones are ardent fans of the Pixel lineup and its stock Android experience. I mean, it doesn't take a genius to figure that out lol.

      • D
      • AnonD-909757
      • 0JM
      • 08 Mar 2020

      Nick Tagataka, 08 Mar 2020It's a serious security flaw because it allows other people... moreAnswer part 2 of 2 :
      In order, from the most secure to the least secure :
      *Smart Lock, position only (but only if properly implemented and if you have recent 1m precision satnav tech like BeiDou B1, Galileo E1+E5a, GLONASS L1, and GPS L1+L5) if we consider avoiding to be unlocked outside of your recorder places, it would be crazy to try faking the satnav signals just to unlock someone's phone, but this one is an exception because everyone can unlock it at your house, but outside it is really heavily secure.

      *3D face unlock, because it literally require your face, when properly implemented, mostly if you combine 2 camera + dot projector + IR camera + UV camera + spectroscopy.
      Two camera already do 3D and dot projector reinforce that and they fix potential flow of each other, as they both get different result meaning it increase security to combine both, IR and UV camera reveal details that are not visible on regular light and spectroscopy will detect that this is real flesh, and if you combine spectroscope with the living cell detection AI I linked the article about earlier, it will be even more secured.
      You can go further and use a learning algorithm that will deal with your face which is constantly evolving and it can adapt to head injuries or modifications too, combine that with an algo that will tell if you are static or moving (you can't just perfectly keep your face still) and have an option that require you to actually not keep a straight face, regardless if it is blinking, changing your expression or simply give a nod, and you can go as far as a lips reading algorithm that will be able to read an unlocking sentence with a safety one that can lock your phone for X amount of time or until you get to X location (like your house).
      Imagine how crazy it would be to attempt force unlocking such thing, and except the UV camera and a basic photographer, most of the craziness will happen through software, meaning once they are available, it won't be expensive to put on a production device.
      To force unlock it without your head would be nearly impossible, it would require to put a sensor set at least as good exactly in front of your face for long enough to scan it, but to reproduce your face it would require a high precision 3D model that have the same details in both relief and IR/UV light but also being made out of a real living tissue that have the same spectral signature as a human flesh, all that while knowing what is your sentence and reproduce your lips movements and having a realistic expression...
      Suddenly faking satnav signals doesn't sound that crazy...
      *Fingerprint scanner, note that ultrasonic ones like the 3D Sonic, or way more secure with the 3D Sonic Max are massively more secure than optical ones, they scan in 3D meaning a 2D image of the fingerprint isn't enough, and they can penetrate deep enough through the skin to actually detect heartbeat, meaning it would take a fake 3D finger with fake veins having a fluid beating in a realistic heart-rate with the fluid whose density can be confused for blood for a ultrasonic scanner.
      Optical fingerprint scanner are less secure and the glass + tape trick have chances to work, but it still require to go through that extend to actually unlock it, the average person will be unable to do much.
      *Long and complex password, one would think they are top security, but they have one massive flow, a properly placed camera could compromise it, so if we go up to scenario like using someone's sleeping/unconscious face or using glass and tape to force unlock the phone, we can't ignore someone simply filming, even with the theft own smartphone, someone from behind while the phone owner is focused typing his complex password.
      But that's theoretical, in real life, almost no one would go through the pain of typing a long password to unlock his Smartphone that he daily use, and if the person have data THAT sensitive to keep secure, well, they probably shouldn't put it on any piece of equipment that is online and contain third party software.
      Side note, I consider security through limited number of attempt stupid, the real security against bruteforce attack is simply putting a delay between each attempt, even better an increasing delay for each failed attempt, the reason is that bruteforcing only work because computer are so fast at trying massive amount of combinaisons, if you put a limited number of attempt, a user who is distracted or in a hurry and try to type his long and complicated password might lock his device, while delay will seriously compromise any bruteforce attack, even a constant 1 seconde delay will be enough, but one that add 1 second at each failed attempt would require trillions of years to find even simple passwords, but considering that long password anyway take time to be written this isn't an issue for the user.
      Combined with a simple algorithm who check two things : If the attempts have a pattern, and if the number of characters is matching the one the password have, because bruteforce simply goes in a really simple increment pattern while a more organic "is it E or 3 I used ? Is it uppercase or lowercase ? Did I put the complete year or just the two last numbers ?" will be quite simple to differentiate and exclude leaving the used untouched and if you use a random system to bruteforce, well you'll quickly input password that are far away in term of character count from the original one, though regular hashing don't really reveal the length of the password, it could still be implemented in a secure way.
      *The PIN is the next least secure thing, not only the number of possible combinaisons is usually low, because pins usually have 4 digits, but also it is quite easily observable, mostly if it is done through a numerical keyboard without randomizing digits position, even here, a camera will easily break it even with limited view on the person's display, as data will be quite easy to complete, but also, even someone just looking at it can easily get it.
      *Finally, the pattern, yes, what is considered as the most secured unlock feature is, IMO the least secured of all, not only because any camera or wandering eye can easily catch it, and even without having a view of the display, the hand gesture give it away, and it is quite easy and more natural for human to reproduce patterns than PIN, but the biggest flaw is simply that the finger leave a trace on the display, not only without cleaning the screen it is quite easy for anyone to actually get what is the pattern, but if we go up to scenario like the glass + tape thing, well a repeated pattern will cause more pronounced wear on that part of the display, and with the right tool you can reveal it.
      So in theory by the number of possible attempts, it is indeed one of the most secure, but in real world scenario, it is the easiest system to compromise.

        • D
        • AnonD-909757
        • 0JM
        • 08 Mar 2020

        Nick Tagataka, 08 Mar 2020It's a serious security flaw because it allows other people... moreAnswer part 1 of 2 :

        I can't agree, realistically it won't affect the vast majority of users, first, one need to be aware of that to attempt it in the first place, and most peoples won't ever be in a situation where this can happen, anyway if you have data on your Smartphone, you can already consider them compromised in the first place.
        That leave only the friend case, and well, if you have friends that could do that to you, then you might consider reviewing who are in your entourage, even there it still require "friends" that can recognize what is the smartphone, but also are aware of this flaw, and frankly, outside of the tech passionate, the vast majority won't even realize the Smartphone have 3D face unlock to begin with.
        What DOES help though even with the eyes issue, is if a theft know about those smartphone (and they often do, it would be stupid taking ris stealing a cheap phone), he won't bother try and stole it from you as it will be simply impossible to use, that's one of the biggest advantage of secured 3D face unlock, and except if the person literally 3D scan your face, he won't unlock it.
        The same way someone can hold the phone in your face, they can just put it under one of your finger if you are sleeping or unconscious/dead, plus, except for ultrasonic fingerprint reader, optical ones can be fooled by flat images, so if we go to the "will use your sleepy/unconscious face" theory, we could also easily consider taking your fingerprint out of glass or something like that, making them less secure than the 3D face unlock with the eye flow.
        I am not saying this is not a good thing that it is fixed or that it shouldn't be fixed ASAP as any security flaw small or not should always be, but this isn't that serious as what peoples over exaggerated it, the hypothetical scenario where it can cause troubles have low chances to actually happen.
        I am sure close to no one suffered from this issue since the release of the phone.

        The problem here is that Huawei use their own system for that, and they have a lot of budget to archive that, but Google being the one making Android, it probably mean that the core Android have the same system than the Pixel 4, so for anyone who want to simply put the sensors and lets Google's Android do the rest, that's not really motivating to know about that flow and how badly it is received by the community.
        I'd love to see something like the Mate 30 Pro on core Android, it would for sure heavily encourage manufacturers to use 3D face recognition as it wouldn't require them to research/buy expensive software.
        The best would actually be a dedicated co-processor available on the market (so no proprietary tech) combined with a great software available for free.
        And even if I am wrong and its only about the Pixel and not Android itself, meaning that it is even worse because it require manufacturer to make their own software and even if the system is perfectly secured it won't be properly integrated into Android, it still mean that all this negative ad about it which negatively influence the 3D facial unlock feature implementation...
        Speaking of which, there is high hope as we can read in this new :
        https://www.digit.in/news/mobile-phones/android-to-soon-have-face-unlock-more-secure-than-iphone-52759.html
        It definitely fix the "unlock when you're dead" issue and will help against fake materials like 3D printed heads.

          • G
          • GuyPhone
          • xZI
          • 08 Mar 2020

          Nick Tagataka, 08 Mar 2020Not objectively the "best" Android experience, hence pointl... moreOneUI is the most user-friendly OS yet severely bloated. It has slow system performance and is worsened by its chipset (Exynos), so expect poor battery life and prolonged loading times (as the chipset needs to stress out for the heavy OS). MIUI is still better but it has some more bugs.

            potato4k, 08 Mar 2020They’re sponsored, yet they are quoted and trusted by many ... moreNot objectively the "best" Android experience, hence pointless to talk to others assuming that they share the same view that you have. In fact tons of people around the world consider One UI 2.0 or Oxygen OS as better Android skins, and personally I agree with them.

              GuyPhone, 08 Mar 2020They're sponsored so do you trust what they're saying? But ... moreThey’re sponsored, yet they are quoted and trusted by many people here.
              But hey, best Android experience. Thus why the patch is needed? Hilarious.

                Nick Tagataka, 08 Mar 2020They still haven't fixed the issue? It took almost half a y... moreSince when an advertising company cares about security?
                Besides, do we see any criticism about this? Pretty much all the tech bloggers and youtubers praised the Pixel 4 as the best Android experience, despite the obvious flaws.

                  AnonD-909757, 07 Mar 2020Peoples are SERIOUSLY over exaggerating the issue of the op... moreIt's a serious security flaw because it allows other people to unlock your phone when you're unconscious. So if you're storing something confidential on your Pixel and your children/partner/parents/friends came to you when you're taking a nap on a sofa, they can browse all sorts of stuffs you want to keep yourself without making you realise about it. The same goes in a public space - if you doze off at your office/at park/in a public transportation etc. and leave your phone visible to people around you, there will be a very high risk that they can instantly unlock your phone, again, without having any risk of you noticing what they have done. This would be far more difficult to do when your phone checks whether your eyes are open or use FPS.

                  "because if this really little thing, peoples don't want 3D facial recognition on Android"
                  "stupid to hold back 3D facial recognition because of a single minor flaw"
                  Here's an Android phone that does 3D face unlock perfectly fine: Mate 30 Pro. Not only does it require your eyes to be open in order to start using the device, but it also provides an option to make it attention aware (so unless the user is directly staring into the phone it doesn't unlock), which makes unauthorised access to the device nearly impossible. This also proves that this is not about the entire Android ecosystem or its users, but about Google who is just being too lazy to fix such a significant security issue.
                  To put it simply: Only Google's implementation of 3D face unlock sucked, and they can only blame themselves for that.

                  "This is WAY more secure than the pattern or any other password/pin"
                  Not necessarily true. Even security agencies have a really difficult time unlock dead suspects' phones protected by long password/pin/patterns especially the ones with limited number of attempts.

                    They still haven't fixed the issue? It took almost half a year for the company who's supposed to be the fastest when it comes to security patches to fix such a fundamental security flaw, oh what an irony.

                      • G
                      • GuyPhone
                      • xZI
                      • 08 Mar 2020

                      potato4k, 07 Mar 2020What? All the Tech bloggers and youtubers had said that the... moreThey're sponsored so do you trust what they're saying? But yes they're stock Androids so their system performance is very fast. Probably faster than iOS or OxygenOS.

                        What? All the Tech bloggers and youtubers had said that the Pixel 4 gives the best Android experience, so why do they need to fix things?

                          • J
                          • Jimbob
                          • gKH
                          • 07 Mar 2020

                          It took them that long just to fix eye unlock.. this phone is already dead though.. nobody wants it. Previous Pixels are far better & have fingerprint scanners.

                            Anonymous, 07 Mar 2020Easier to hold a phone over someone's face when they're sle... moreJust to get there and hold the phone over the face without waking them up with the device lighting up the face may prove a challenge in itself. Especially if you sleep on the side or on the belly...

                              • ?
                              • Anonymous
                              • XRg
                              • 07 Mar 2020

                              FapPhone, 07 Mar 2020K20 Pro used SD855, what utter rubbish you're saying. K30 ... more*SD855
                              still better than Pixel 3a which had mid range chipset.

                                • D
                                • AnonD-909757
                                • 3g5
                                • 07 Mar 2020

                                Peoples are SERIOUSLY over exaggerating the issue of the open eyes things, as a comment I read yesterday about that said :

                                "Eyes open or closed adds minimal security. If you are in a relationship where your spouse is trying to unlock your phone while you sleep - you need to get out of the relationship.

                                If you are in a situation where a bad guy is holding you hostage and forcing you to unlock your phone, you're in a very unfortunate situation and that really sucks, but I don't think keeping your eyes closed is really going to save you.

                                If you're dead and your worried about the government/police unlocking your phone, I believe the government will be able to keep your eyes open for half a second to unlock your phone.


                                People just looking to complain. We complain about everything (see above)"

                                Personally my girlfriend know my pattern, hell I even registered her fingerprint on my phone.
                                And if your friends do that, well you have unreliable friends.
                                Also if you are dead, you aren't really concerned about your personal data anymore anyway.

                                The issue is that, because if this really little thing, peoples don't want 3D facial recognition on Android which is stupid because a "bad" security is better than none, and considering that the eyes thing don't really impact security much and that 3D facial recognition IS the best actually available form of security on any portable devices until the Qualcomm 3D Sonic Max hit the market in a phone, this is really stupid to hold back 3D facial recognition because of a single minor flaw.
                                I'd love to have a smartphone with both real 3D facial recognition like the Pixel 4, but also a great ultrasonic fingerprint reader (which are way better than optical ones as they can't be fooled by flat images) such as the 3D Sonic Max or any potential alternative.
                                This is WAY more secure than the pattern or any other password/pin, and the sensors themselves aren't that expensive.
                                But because of the teardrop notch and punch hole, the trend is now to have a single almost useless selfie camera, even on device with pop up or bezel.
                                That's probably because it took so much time to be fixed, I am sure it is actually easy to just implement in code that eyes are to be visible since eyes are actually one of the most important part of the head tracking that allow facial recognition in the first place.
                                But since it has a really minor impact on security, they didn't saw necessity to fix it right away, hell I am pretty sure its near impossible to find any relevant number of cases where the closed eyes thing had caused any issues, paradoxically, that's because media and users made such a tantrum about it that it became really known, otherwise I am sure almost no one would had care, but because so much peoples talked about it, it can actually push peoples to exploit it.
                                So as usual, peoples are the reason of the problem.

                                I hope that now they are fixing it, peoples won't be as stupid about it and that the Android industry will FINALLY began to add on of the most, that when properly implemented is THE MOST secure unlocking feature a smartphone can have.

                                  • K
                                  • Khalifi umar
                                  • Nuf
                                  • 07 Mar 2020

                                  More convent.

                                    • F
                                    • FapPhone
                                    • xZI
                                    • 07 Mar 2020

                                    Anonymous, 07 Mar 2020Not buying mid range chipset at 400 dollar price point espe... moreK20 Pro used SD855, what utter rubbish you're saying.
                                    K30 Pro is using SD865 but is a serious bendgate.

                                      "It has been 5 years..."

                                        • F
                                        • Fayth
                                        • XTA
                                        • 07 Mar 2020

                                        so all this time... this whole time
                                        they don't have this feature?
                                        I must be living under a rock

                                          1 of 2