SoylentNews is people
SoylentNews
from the dead-sure-that-it-shouldn't-do-that dept.
Submitted via IRC for SoyCow1984
Pixel 4's 'Face Unlock' works even if you're asleep or dead -- and that's a problem
Google's new Pixel 4 smartphone doesn't have a fingerprint sensor. Instead it relies on "Face Unlock," a proprietary facial scanning system similar to the one found in Apple's Face ID. Early reports show a system that works well, perhaps too well, in fact, according to some security experts.
To unlock a Pixel, the operator must hold it up to their face while onboard cameras and sensors go to work scanning their mug for defining characteristics — the distance between your eyes, for example. Once the device is confident it's you, it unlocks and allows you to access the operating system.
With Google's system, according to the BBC, the Pixel's Face Unlock function works even if a user's eyes are closed, a clear and security risk for anyone with a Pixel 4. Using default settings, users who are asleep, or even dead, could unknowingly unlock their phone for others.
According to Google representatives, "Pixel 4 Face Unlock meets the security requirements as a strong biometric." True, but this in and of itself might not be enough. At its launch, Pixel product manager Sherry Lin said, "There are actually only two face [authorization] solutions that meet the bar for being super-secure. So, you know, for payments, that level — it's ours and Apple's."
(Score: 3, Insightful) by bradley13 on Sunday October 20 2019, @03:28PM (6 children)
This is not news. At best, biometrics can supplement a password, but by themselves they are not secure.
Everyone is somebody else's weirdo.
(Score: 3, Informative) by stretch611 on Sunday October 20 2019, @04:26PM (3 children)
Exactly.
I just got a new phone. (my 4 year old phone started to not charge due to a loose USB connector.)
It had both face unlock and fingerprint scanning. The first thing I did was disable both and add a passcode.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 0) by Anonymous Coward on Sunday October 20 2019, @09:39PM (2 children)
why not enable both and add a passcode... if your aim is to be as secure as possible.
I think if you're a banking/payment app, you'd want to enable tired combo of secrets depending on the task.
(Score: 2) by MostCynical on Sunday October 20 2019, @10:19PM
Most phones allow only one form of security at a time, and, alas, only one to unlock everything..
I, and many others, would love one unlock to make calls, send messages, &c, and then a second unlock for anything else (adding or deleting, operating system changes..)
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 4, Insightful) by NotSanguine on Sunday October 20 2019, @10:26PM
You need to stay the hell off my gigantic security failure waiting to happen [malwarebytes.com].
in fact, anything related to my financial life has no place on any device that other folks can remotely control or update.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Insightful) by Anonymous Coward on Sunday October 20 2019, @08:25PM
Anyone with a clue knows that biometrics should never be an alternative to passwords. At best, biometrics might be considered as an alternative to a user ID, but validating the identity claim should be something that can be changed. Nobody, government included (especially?), can be trusted not to share, leak, or otherwise misuse validation data.
When biometrics-as-password data invariably leaks, how are you supposed to change your fingerprints, retinal patterns, or whatever they're recording for facial recognition?
(Score: 0) by Anonymous Coward on Monday October 21 2019, @02:10AM
Yes, but once somebody has that cracked, then there's not much you can do about it. At least with dongles you can change the dongle to a different one. Try doing that with your face.