Major Flaw in Face Unlock - You no longer have a choice

Cherenkov

Well-known member
Oct 21, 2011
206
4
0
Visit site
I received my Pixel 4 XL yesterday. So far.. eh. Not super impressed. Face unlock is cool. However, I've already had information compromised because of it. Hear me out.

I don't like gesture navigation. I keep pulling up the app drawer or app search when I'm trying to swap between active apps. I really, really don't like the sharp edges at the bottom of the screen with the bar it super-imposes when it's running. It looks like the flat tire effect we saw on the first gen Android watches. So I called Google Support to ask how to disable this. They wanted to do a screen share, to see what I was talking about. I said sure, it'll make things easier.

We determined that you can turn off gesture navigation to get rid of that visual effect. Upon doing so my phone, on its own, cycled through all of my recent apps, landing on my password manager. My password manager, upon seeing my face, immediately unlocked, displaying sensitive passwords to the Google support agents (and also recording them via their screen share tool). I had no say in this. Normally my password manger uses a fingerprint scanner. I can choose when to apply said fingerprint to the scanner to unlock the app, otherwise it remains closed. But with Face Unlock, if the phone can see your face, the app unlocks. So as soon as the password manager became the active application, it saw me, unlocked itself, and exposed my data.

Of course I have the option to disable face unlock, but with no fingerprint scanner, this means I have to go back to a PIN (not at all secure really) or a complex password (very tedious to use). I can imagine other scenarios in which you might open an app accidentally, or even just want to glance at your phone without unlocking it, but since Face unlock is automatic, suddenly your app or phone is open whether you like it or not.
 

dmxjago

Well-known member
Jul 3, 2012
1,463
5
0
Visit site
I received my Pixel 4 XL yesterday. So far.. eh. Not super impressed. Face unlock is cool. However, I've already had information compromised because of it. Hear me out.

I don't like gesture navigation. I keep pulling up the app drawer or app search when I'm trying to swap between active apps. I really, really don't like the sharp edges at the bottom of the screen with the bar it super-imposes when it's running. It looks like the flat tire effect we saw on the first gen Android watches. So I called Google Support to ask how to disable this. They wanted to do a screen share, to see what I was talking about. I said sure, it'll make things easier.

We determined that you can turn off gesture navigation to get rid of that visual effect. Upon doing so my phone, on its own, cycled through all of my recent apps, landing on my password manager. My password manager, upon seeing my face, immediately unlocked, displaying sensitive passwords to the Google support agents (and also recording them via their screen share tool). I had no say in this. Normally my password manger uses a fingerprint scanner. I can choose when to apply said fingerprint to the scanner to unlock the app, otherwise it remains closed. But with Face Unlock, if the phone can see your face, the app unlocks. So as soon as the password manager became the active application, it saw me, unlocked itself, and exposed my data.

Of course I have the option to disable face unlock, but with no fingerprint scanner, this means I have to go back to a PIN (not at all secure really) or a complex password (very tedious to use). I can imagine other scenarios in which you might open an app accidentally, or even just want to glance at your phone without unlocking it, but since Face unlock is automatic, suddenly your app or phone is open whether you like it or not.
That sucks. What an unlucky thing. I received mine today and loving it. I like the new gestures system and been using it since it was made available in the beta so I've been used to it for months.
 

Jeremy8000

Well-known member
Jul 11, 2012
2,567
159
63
Visit site
Very unfortunate situation, sorry to read that happened to you. Not wanting to seem insensitive, but candidly, this isn't a fault of Google's software design - your granting them screen share is essentially the same as your letting a friend look at your phone alongside you. Generally speaking, before granting such permission you should be closing out anything you wouldn't want them to see.

Something that comes to mind that might be nice to see implemented would be the ability to wall off certain applications or functions such that biometrics cannot unlock them, and those specific apps/functions would require a PIN/PW.
 

Almeuit

Moderator Team Leader
Moderator
Apr 17, 2012
32,278
23
0
Visit site
I received my Pixel 4 XL yesterday. So far.. eh. Not super impressed. Face unlock is cool. However, I've already had information compromised because of it. Hear me out.

I don't like gesture navigation. I keep pulling up the app drawer or app search when I'm trying to swap between active apps. I really, really don't like the sharp edges at the bottom of the screen with the bar it super-imposes when it's running. It looks like the flat tire effect we saw on the first gen Android watches. So I called Google Support to ask how to disable this. They wanted to do a screen share, to see what I was talking about. I said sure, it'll make things easier.

We determined that you can turn off gesture navigation to get rid of that visual effect. Upon doing so my phone, on its own, cycled through all of my recent apps, landing on my password manager. My password manager, upon seeing my face, immediately unlocked, displaying sensitive passwords to the Google support agents (and also recording them via their screen share tool). I had no say in this. Normally my password manger uses a fingerprint scanner. I can choose when to apply said fingerprint to the scanner to unlock the app, otherwise it remains closed. But with Face Unlock, if the phone can see your face, the app unlocks. So as soon as the password manager became the active application, it saw me, unlocked itself, and exposed my data.

Of course I have the option to disable face unlock, but with no fingerprint scanner, this means I have to go back to a PIN (not at all secure really) or a complex password (very tedious to use). I can imagine other scenarios in which you might open an app accidentally, or even just want to glance at your phone without unlocking it, but since Face unlock is automatic, suddenly your app or phone is open whether you like it or not.

What password manager? I would blame the PW manager first before Google...

LastPass is in beta and does this....
 

Attachments

  • lp_beta.jpg
    lp_beta.jpg
    245.5 KB · Views: 24

Almeuit

Moderator Team Leader
Moderator
Apr 17, 2012
32,278
23
0
Visit site
Something that comes to mind that might be nice to see implemented would be the ability to wall off certain applications or functions such that biometrics cannot unlock them, and those specific apps/functions would require a PIN/PW.

Most PW managers allow this without issue. I know for LP you have to turn on Biometrics -- it doesn't default to on.
 

Cherenkov

Well-known member
Oct 21, 2011
206
4
0
Visit site
Correct, for the manager I use, you don't have to hit a button or anything else. As soon as it sees you, you're in. I'll contact the devs to see if they want to put some kind of confirmation in place. My overall point was that this could impact any app that uses face unlock.
 

N4Newbie

Trusted Member
Nov 15, 2012
5,006
1
36
Visit site
I think the point that is being missed is that with the fingerprint sensor, the user gets to decide when he wants his phone to unlock whereas with Face Unlock it can very easily happen unintentionally.

The result is anything from a minor to a major security risk, depending on circumstances, to a minor inconvenience - have to keep manually locking the phone every time it unintentionally unlocks itself.
 

Almeuit

Moderator Team Leader
Moderator
Apr 17, 2012
32,278
23
0
Visit site
The result is anything from a minor to a major security risk, depending on circumstances, to a minor inconvenience - have to keep manually locking the phone every time it unintentionally unlocks itself.

Know what would solve that? Eye / Attention detection. That is why people griped and everyone said "no big deal!" -- and now they can see why it is annoying.
 

N4Newbie

Trusted Member
Nov 15, 2012
5,006
1
36
Visit site
Know what would solve that? Eye / Attention detection. That is why people griped and everyone said "no big deal!" -- and now they can see why it is annoying.

That would help but I'm not convinced it will fully resolve the problem. As others have pointed out, I want to be able to look at my phone to see the current time or a notification that just popped up without the damn thing unlocking itself every time.
 

Almeuit

Moderator Team Leader
Moderator
Apr 17, 2012
32,278
23
0
Visit site
That would help but I'm not convinced it will fully resolve the problem. As others have pointed out, I want to be able to look at my phone to see the current time or a notification that just popped up without the damn thing unlocking itself every time.

So you simply set the phone to not insta unlock -- and to stay on the lock screen. You can look and see the time.. it will unlock technically but the screen will time out way faster then if it fully unlocked to desktop.
 

Cherenkov

Well-known member
Oct 21, 2011
206
4
0
Visit site
I wonder if they could code in an option to tie it to a button. In particular, the whole phone squeezie thing. I know some people use that for Google Assistant, I don't. But you press a button, that triggers the phone to look at you and then unlock. You get all the functionality of a biometric unlock while still having a choice as to when it's triggered. It wouldn't be 100% hands free any more, but as an option I'd take it over the way they've got it set up currently.
 

SupraLB

Well-known member
Oct 28, 2015
815
0
0
Visit site
What a huge dumpster fire mess Google has created. I'm hoping the Pixel 4a brings back the fingerprint sensor.
 

Morty2264

Ambassador
Mar 6, 2012
22,922
1,053
113
Visit site
I am so sorry this happened to you, OP. What was the Google support staff's response to the situation?

You are right in that Face Unlock does expose your information and/or unlock your device without your meaning it to.

I wish that the Pixel 4 had an additional method of security - even an in-screen fingerprint scanner - so those of us who dislike Face Unlock could use that method instead. Even on my S10, I have Face Unlock disabled and doubt I will use it. I may try it but it's not something I'm at all interested in using long term.

Please keep us posted on what you decide to do with your device.
 

Cherenkov

Well-known member
Oct 21, 2011
206
4
0
Visit site
Support basically said that Face Unlock was the new path Google is taking, kept assuring me that Google has no access to my data (I had to explain that it was exposed because the app unlocked automatically, not that screen share had somehow downloaded it). It all boiled down to "we appreciate your concerns and I'll log this as customer feedback". They had no real helpful advice other than disabling Face Unlock.
 

Morty2264

Ambassador
Mar 6, 2012
22,922
1,053
113
Visit site
Support basically said that Face Unlock was the new path Google is taking, kept assuring me that Google has no access to my data (I had to explain that it was exposed because the app unlocked automatically, not that screen share had somehow downloaded it). It all boiled down to "we appreciate your concerns and I'll log this as customer feedback". They had no real helpful advice other than disabling Face Unlock.

I'm sorry that that experience was not as fulfilling as you wanted it to be. That's too bad that the Face Unlock route is the path that Google seems to be taking. At least they will log your concerns.
 

N4Newbie

Trusted Member
Nov 15, 2012
5,006
1
36
Visit site
So you simply set the phone to not insta unlock -- and to stay on the lock screen. You can look and see the time.. it will unlock technically but the screen will time out way faster then if it fully unlocked to desktop.

That's hardly an answer, though.

With the FPS on my 3XL and previous phones, *I* decide when I want the phone to unlock and, yes, it goes instantly and directly to whatever screen or app it was on when I last locked it.

What you are proposing is that I either inconvenience myself one way (phone constantly unlocks unintentionally) or the other way (phone requires me to swipe away the lock screen). Both options suck and, frankly, are a stupid design decision.
 

Trending Posts

Forum statistics

Threads
942,403
Messages
6,913,916
Members
3,158,398
Latest member
Chelrie