Facial authentication security

The Pixel 4 got dinged by the tech press for the fact that its facial authentication works if your eyes are closed. On the one hand, sure, ideally it would detect that you’re awake, alive, and consenting before it unlocks the phone. On the other hand, I wonder a bit about people for whom this is a concern. If you’re seriously worried about people unlocking your phone while you sleep, you might have bigger issues to contend with in your life.

Security driven by biometrics (face, voice, fingerprint, etc.) is always probabilistic, and the goal is to find an appropriate balance between false positives (letting the wrong people authenticate) and false negatives (not letting the right people authenticate). In practice mobile operating systems tend to err on the side of false positives; what are the odds you’re really going to go around verifying that the security is really as robust as the developers claim? While you’ll immediately notice if your phone repeatedly refuses to let you authenticate.

Apple, for example, likes to brag that there’s only a one in a million chance that someone else’s face can unlock your iPhone. Well, my wife recently got a new iPhone 11, and my daughter can reliably unlock it with her own face. I suspect it’s because they both were glasses, which complicate face recognition (my daughter can only unlock my wife’s iPhone when she’s wearing her glasses; if she takes them off it doesn’t work). Sure, she could be that one-in-a-million outlier. Or Apple could be overstating the quality of its face authentication. Finding an appropriate balance between false positives and false negatives is hard.