If you use a Google Pixel 4 or Google Pixel 4 XL, you may want to skip the new face unlock feature and just rely on a passcode.
That’s because the new face unlock feature has a major privacy weakness that’s not shared by its closest competitor, Face ID.
Specifically, Google’s face unlock feature will work even if your eyes are closed.
“Your phone can also be unlocked by someone else if it’s held up to your face, even if your eyes are closed,” a Google support page reads. “Keep your phone in a safe place, like your front pocket or handbag.”
The face unlock feature on the Google Pixel 4 series works a bit like Apple’s own Face ID. It uses depth-mapping instead of the notoriously easy-to-bypass 2D facial recognition of other Android smartphones.
Because of that, Google believes that face unlock is not only secure enough to lock your phone — but also for financial transactions and other secure authentication features across Android. In fact, Google has even nixed the fingerprint sensor on the new Pixel devices.
But, of course, that security really goes out the window if someone can simply unlock your phone and potentially access sensitive apps within your phone when you’re sleeping.
This is a privacy and security risk that isn’t shared by Apple’s Face ID, which also uses 3D depth-mapping but was far ahead of its Android competitors at launch. Face ID requires a user’s attention to unlock, meaning that their eyes need to be open and actively looking at the screen.
There, of course, are bypasses for that requirement. Earlier this year, security researchers showed off a simple hack at the Black Hat conference in Las Vegas that can be used to bypass Face ID when a user is sleeping or unconscious.
But an attacker won’t need to use that trick against Google’s face unlock. They simply need to wait until someone is sleeping or unconscious.
While there are hints that Google may add a similar attention requirement in software down the road, that feature won’t be present at launch. That means Google Pixel 4 users are going to be vulnerable to having their devices unlocked without their permission.
Until Google fixes the problem, it may be worth getting familiar with the Android lockdown feature. Alternatively, you may want to just stick to using a passcode.