To my knowledge, Apple is the only vendor that actually made in-depth claims about the security of their face unlock solution. They’re the only vendor that assumed anyone cared.
Android OEMs are working off a feature checklist and that’s about it.
Sure but this sounds like a software bug. There isn’t any way the screen protector makes the returned “ultrasounds” look like the one it’s expecting, it just confuses the reader which should result in rejected authentication. Seems sloppy.
My guess is that the screen protector is blocking the ultrasonics so when you 'register' a finger you're actually registering the screen protector. This means that any finger will work as each time it see the same screen protector.
The fix will just have to be building a profile of what screen protectors look like to the sensor and rejecting registrations that look like them with a helpful message about screen protectors.
I just got one of the cheapest phones that Samsung makes, the A50. There is an aftermarket screen protector on the screen.
I was able to register my nose to unlock the phone via the "fingerprint" sensor. Interestingly enough, it will reliably unlock with my nose, but not with either of my daughters' noses.
This is also possible with Touch ID on iOS devices—one of my friends enrolled his nose and five toes. You can put multiple fingers or toes in one “finger” slot if you lift and set down different digits instead of the same one, albeit less accurately.
Do you mean that your daughters' noses can't unlock your phone when your nose is registered or theirs? The former sounds like it's working as designed. Fingers aren't the only body parts with unique patterns, just the most practical one to scan.
Or model what fingerprints look like, which was their job after all. What you do for people with disfigurements and birth defects, I couldn’t say. But you should be able to flag the data as sketchy.
Is this an example of AI gone bad, or something else?
I doubt there's any AI involved in this. I think they've never bothered to really consider what a fingerprint actually looks like. This is fairly evidenced by how every single phone fingerprint read seems to readily accept many other body parts and I suspect also things that have similar conductivities to human skin.
One place I worked at, the fingerprint reader for security was horrible... you had to get your finger in the exact same position. Sometimes it'd work in the morning, but not in the afternoon after lunch. I thought it was funny how my phone could figure it out, but the building system couldn't... of course the building only took two sample scans, while my phone will take 6 or so.
Maybe the phones are only "figuring it out" by having very loose acceptance criteria for the correct pattern. For all we know, the 6 scans could be mostly marketing fluff to give the appearance of robust matching.
It's not clear from the article if she had her prints registered then put the protector on or if she put the protector on first. If the former, then it's particularly heinous because people could easily replicate it. If it's the latter then people could just avoid screen protectors (Which shouldn't really be needed regardless).
Last time I checked the OS actively warns you that a strong password is the only way to actually secure your device. Face unlocks and fingerprint sensors are really just gimmicks, that's why android will sometimes prompt for the full password based on some heuristics.
The process described above proved to be somewhat unreliable as the depth of the ridges created by the toner was a little too shallow. Therefore an alternative process based on the same principle was utilized and has been demonstrated in an extended video available here. First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi. Then the image is converted to black & white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi. To create the mold, the mask is then used to expose the fingerprint structure on photo-senistive PCB material. The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use."
I'm not sure I would classify a process like that as being similar to putting a screen protector on.
given this, it would be nice if a standard emerged of offering biometric+password. The idea being you get both the convenience of biometric, plus the security of a password. Of course a password is inconvenient, but thats only if its a usual password. In this case you could use a simplified password which is quick to enter.
But think of the resources involved to execute this, it's so impractical! You need BOTH a screen protector AND something that registers on the capacitive touch screen!
> In fact there are already articles showing how the unlock feature works while you’re asleep
Hah, this was the first thing I tested with Face ID when I got my iphone 10. If you look at it with your eyes closed then it won't unlock. Open your eyes and it instantly unlocks. It spent about five minutes playing peek-a-boo with it.
I got a chuckle out of it but honestly, we don't need to make this place like Reddit where serious topics were mixed with jokes and then it got so bad that its impossible to engage in a serious discussion without a [serious] tag in the headline. Vast number of places on the internet are enteraining, there is no shortage. Let's leave HN for serious discussions. Good joke though.
Jokes are OK on HN as long as they are genuinely funny. Unfunny jokes tend to get downvoted. As most 'jokes' are not legitimately funny this system works well to keep a balance.
I've been here 10 years and it hasn't become like Reddit yet. Every person saying that HN will become like Reddit has been wrong so far.
If the joke adds intellectual value, I mostly agree. The problem is defining what’s truly funny and what’s not and it is highly dependent on the individual reader.
I’ve personally feel/seen some erosion but it’s hard to quantify and measure.
The problem on Reddit is the huge amount of formulaic and reference-based humor. It's too easy and it becomes a race to see who posts the obvious joke first.
On HN jokes do get up voted - if they're original, related to the topic and actually funny.
Although in that last case, as-in the case of Government respecting your rights but the court order you to give access, password still allows you to have the ability to block/brick/wipe the phone.
All of this of course is if you have a good password hygiene, but if you don't I don't think you have a claim to complain about weak security models.
I'm not sure why you're downvoted -- I don't agree with your conclusions, but many of the sibling posts are making grand statements about "biometrics are usernames" while disregarding the threat model entirely.
I do disagree with a couple of your conclusions though, because the attacks you describe are all targeting you as an individual. There's a much broader class of attacks that should be worrisome -- adversaries seeking _any_ compromise of _any_ individual. Like getting a dump of passwords from neopets or something and trying all those passwords on Chase.
For that kind of adversary, password is vulnerable, and biometrics is secure. And that kind of adversary is by far the most dangerous and prevelant. Especially biometrics in the Apple secure enclave model, where the key material is secured by the biometrics but is very strong -- far stronger than a password can be.
For phone login and such you can't really attempt a password without being physically in front of the phone anyway, so any device from any individual doesn't really apply, in this case.
"For that kind of adversary, password is vulnerable, and biometrics is secure."
The applications I'm familiar with, the password takes precedence. It doesn't require password and fingerprint.
The thing is, if you add an extra factor, either you are required to use all of them, in which case it increases the risk of being wrongly locked out, or you are required to use any of them, in which case it increases the risk of the wrong person getting in.
It fails very rarely mostly if my hand is wet. Yes you can use the passcode and you are required to enter the passcode at lease once a week by design. But opportunity for shoulder surfing is reduced by a factor of hundreds since I probably unlock my phone 100 times a day.
I would say there is one case where a fingerprint scanner is more secure than a password though, which is if you're trying to unlock your phone with someone peeking over your shoulder (or in an area with video surveillance).
There's also the "I have a complex passphraess for various apps/websites" but use iCloud keychain, 1Password, etc instead of typing in the password.
From a usability perspective, passwords are a nightmare, TouchID is a bit better (e.g. dry or wet fingers don't reliably work), FaceID is quite usable.
Apple seems the only company worth criticizing in this space.
You're correct about always having to evaluate security in terms of threat models, but you're off about a lot of your examples.
>Close person tries to get in (significant other, coworker, ...): biometrics is flawed, password works.
>Government respecting your rights tries to get in: biometrics is completly broken, password works.
The first is fully incorrect, the second far too generalized and heavily incorrect. PINs/passwords are far, FAR more trivial to skim then biometrics. Even mere shoulder surfing isn't hard, but in a world with approaching ubiquitous hard to notice downward looking cameras if you ever input a password anywhere that isn't physically secure, and with no one looking, you can easily have it compromised. And it of course takes essentially zero resource expenditure and offers zero visibility to merely use the password once it's acquired.
If it's at a random incident and a first-world type government wants to look, you can trivially disable biometrics on any decent implementation without even looking. So lack of biometrics buys you nothing. If it's a sting against you specifically then they can shoulder surf/camera it (remember the constant improvements in drones, are you REALLY not being watched well away from buildings even?) or just wait for you to unlock it and then swoop in and try to physically grab you while it's unlocked anyway. The scenario space where it'd make a difference is very, very minimal. Really, you want both: a strong password and biometrics for public usage. And for scenarios like border searches they can lawfully cause you enough inconvenience regardless that standard passcode is still not really the right response anyway. A burner, clean+remote load later, or alt-codes or the like would be the right way to go, though sadly I think only the first two are available right now.
On the contrary, I think it’s one of the most accurate xkcd comics ever made. We’ve already seen how thieves savvy with how phone locking works will force you at gunpoint to disable any security; it doesn’t matter at that point how strong the encryption protecting your phone is at that point.
Biometrics are not secure to use for both a username and password combined.
At best, biometrics are good as a username to identify who you are, but not that you consent to login.
At best, todays biometrics are a trade off in security for convenience, partially because most can be faked.
I look to modern banking startups for biometrics use because money and personal data are similarly valuable and sensitive. If they aren't using it, it's not secure, or ready.
We are somehow ok with touch and faceid without some form of 2FA.
For the initial compromise, sure, but once a biometric system is compromised, it could conceivably be compromised forever. This is what makes it a bad system for anything except identification (even then, I can imagine a few corner cases where it may be a bad idea).
Imho the best compromise was the lockscreen on the pre-Android Blackberry smartphones where you have to move a grid of random digits so that the right digit hovers on the right spot of a picture. Safe against onlookers, not reliant on biometrics and still quicker than entering a password.
But right now I doubt the fingerprint sensors will go away soon, nothing really beats them in terms of convenience.
A fingerprint reader can also be operated while the victim is asleep, unconscious, and even after you sever the thumb off (remote attack!!). Does that mean a fingerprint reader cannot be ever be called secure?
Nevertheless it probably won't ever be completely reliable short of installing a hypodermic needle with the sensor to take a blood sample every time :)
Passcodes are at least easier to rotate than fingerprints. You get 100,000,000 possibilities with 8 digits, compared to 10 possibilities with 10 digits.
I'm curious about this - is there some formal unveiling of passwords as a relationship milestone? Or does it just come up naturally, like, "I need to log into your gmail account, what's your password?"
Well, whenever one of us gets a new phone, we put the other's fingerprints in, just as something we started doing out of convenience. After that, yeah, pretty much. We don't share all passwords, but we would if we needed to.
No. It is a biometric identifier. That is what it is. A username is a human language convenient symbolic pointer that is meant to be public and used socially. I am still confused about why this particular incorrect meme is so persistent. "Something you know, something you have, something you are" all are simply different classes of authentication factor, and all are distinct from names, or UIDs, or any other bit of meta-information that isn't for authentication.
Just like "something you know" can have different strengths, "something you are" can too and changes in technology and threats will enable new options alongside new attacks as we go along. It's a process.
I've only heard the "something you know" and "Something you have" from my old graduate level security class. This is the first I've heard of "something you ARE" and I like this distinction. It makes sense.
Not only can "something you are" change (in some instances), it can also be something that can be difficult for technology to not recognize correctly. A username or password must be correct (unless you're Facebook and do that goofy thing where you allow both the upper and lower case versions) but a biometric is more fudgable.
>I've only heard the "something you know" and "Something you have" from my old graduate level security class. This is the first I've heard of "something you ARE" and I like this distinction. It makes sense.
I'm somewhat surprised because it's definitely not new, I don't know what the exact genesis of that particular cryptographer's verse is but my vague recollection is I first heard it the late 90s, and the idea of extracting bits showing identity from physical qualities unique to a person certainly dates back a long ways. "Something you are" can cover a lot of possibilities too, and with vastly more variety and subtlety than I think a lot of people consider even in security fields. For example, there was recently a genuinely very interesting idea of measuring bottoms. As in, your actual behind/ass, via sensors in chairs. It should be unsurprising if you consider it, but of course the patterns of musculature/fat/bone structure are fairly unique to you for any part of your body if you have sensitive enough tools. It's a transparent measure for certain use cases like a workstation or the like since you're sitting down anyway, and hard to clone from afar since our butts are typically covered and subdermal is challenging without near contact. Another place if you want to look for cutting edge possibilities is advertising/surveillance. Near anything used for tracking fingerprinting could in principle be used for authentication too, and again there are potentially a lot of bits of entropy to be found there. Our gaits as we walk, our patterns of typing, our micro muscle movements, all sorts of things aren't so generic to a powerful enough system. "Biometrics" is to some extent at the stage of 80s or early 90s passwords, something to keep in mind in these discussions when people complain about them. 8-character alphanumeric passwords protected by crypt aren't exactly good these days either, but auth tech moved on even as tech benefitted attackers. In the future biometrics will undoubtedly consider far more than our current early generation systems, up to and including implants.
FWIW, I have (more rarely) seen a few other classes of factor suggested that do make sense, and are arguably distinct categories. One is spatiotemporal, ie., "somewhere/somewhen you are". This is used de facto by any sort of air gapping or "this system can only be accessed from this one place and console" or the like. It could though be taken advantage of far more thanks to more ubiquitous high resolution GPS and the like in our systems. Having certain kinds of data only become accessible in the right place/time could be very useful.
Another fuzzier category is "something you do", as-in observing the actions you take. I felt at one point that this was merely another way of measuring "something you are", but I can see the idea that it'd be distinct because it's about revealing your direct state of mind, whereas at least for the foreseeable future "something you are" tends to focus on more bulk matter aspects of your being. Technically state of mind is physical too, there is a specific vector state of axons and neurons and firing patterns that represent it, but it might make sense still to distinguish that from physical body structure or even implants. Whatever the case though it's still an interesting consideration, and makes a lot of sense in old school counterops. Sometimes the first sign of someone who "shouldn't be authenticated to use this" has been "they were 'acting funny'" after all.
"Something you are" and "something you have" are the same class, just that the thing you have is physically attached to your body. Doesn't matter if it's a fingerprint, a chip installed under your skin or a tattoo. Pretty pointless distinction. Fingerprints, faces and eyes are merely conveniences.
Nope, they are quite different exactly because "something you are" is attached to you and "something you have" is not. One can be swapped out if compromised or get lost. The other can not (intentionally or unintentionally) be replaced, but -- because it is something biological -- undergoes slow changes over time. These differences are sufficiently large that it makes sense to split it into two categories when modeling the whole system from a security -- or usability -- standpoint.
And can be compromised without theft, coercion or any other trace.
> One can be swapped out if compromised or get lost.
Which makes something you are strictly worse than something you have.
> undergoes slow changes over time
You are lacking an argument for anything attached to this point.
> ...it makes sense to split it into two categories
So you are arguing that because something is strictly worse from a security standpoint, it should be categorised as a new category? Have I summed up your position correctly?
There are usability benefits which would exist similarly by attaching something which couldn't be easily compromised to your body. For example a chip under your skin or just carrying a watch on your wrist which you could authenticate with after putting it on and which would un-authenticate automatically when it is taken off. Nobody would argue that you are your chip or your watch.
Something you know is different because there are no plausible ways aside coercion and similar for extracting such secrets in idle, and the other alternative is to get compromised on usage. It's about the threat models.
I think what he means is that you leave your fingerprint everywhere without even realizing it so it's the biometric equivalent of asking for your email; a random attacker won't know it but any one with a wee bit of motivation can get it.
What I meant is: you can not change it and you can not keep it secret so it makes a poor password replacement. Usernames do not have to kept secret (you know that my username on HN is petschge), so finger prints might be slightly more usable as usernames than they are as passwords. They are of course not great for that either. Their best use might be similar to the "card present verifier" on the back of a credit card, i.e. as a sign that the person who entered they username, they password (and possibly a physical auth token like a chip card) is actually present themselves. Or don't use fingerprints at all. They are not secure nor convenient as you think.
I agree with this, but think that faces face the same issue. If anything, we leave our faces more places than our fingerprints; fingerprints smudge over time, but faces are big enough to capture at sufficient detail using cameras that are already widely deployed. iOS is betrer about facial recognition than Android (and I'm not an Apple fanboi), but it can still be hacked with some patience and enough video frames of the given face at different angles. I would really like biometrics to work, verifiable proof-of-human would be great, but I can only buy into them as an additional requirement for authentication; a piece of privately known/held information is still our most secure authentication mechanism for competent users.
> iOS is betrer about facial recognition than Android (and I'm not an Apple fanboi), but it can still be hacked with some patience and enough video frames of the given face at different angles.
FWIW, I don’t think anyone has done this credibly yet.
It's an arms race where people keep breaking into a specific version, Apple makes it harder, and nobody can get into the new shit for a while. There was a method for the X (dunno if updates have made it harder), but not for anything more recent AFAIK. I bet we see another one drop in the next couple years. It's just an engineering problem.
True that, I didn't mean to imply otherwise; I just thought your comment was the most coherent rebuking of fingerprints I'd seen so far while skimming, and I thought it would be a good place to expand on your sentiments with my own thoughts. I do see how my opening "but" could be confusing in this regard.
The CCC went after a German politician to show just how easily you could copy a fingerprint even without access to an object touched by the target[1]. A few pictures of the finger are more than enough.
Print with a laserjet onto overhead projector foil, spread a suitable kind of wood glue, dry, peel and apply to own finger tip. It is actually very straight forward.
From the NewScientist article Laforet linked above:
> fake fingerprints can be created by imprinting copies in rubbery gels or silicone plastic, says Marcela Espinoza of the Institute of Police Science in Lausanne, Switzerland.
Replace silicone with some other flesh-like material that's conductive.
This video[1] is German, however as far as I can tell everything you need to get from an image to a fake print is easily available. The relevant part starts at 65 seconds. Only a few minutes to get a working fake. It is basically the process described by petschge.
Forbes article has slightly more information, including the fact that the Note10 should have the same vulnerability, and it explains that it's not just any screen protector, but a particular type of wraparound screen protector that manages to confuse the sensor.
Samsung's reaction (a recommendation to only use authorized accessories) is completely off the mark considering that the real problem is someone could steal your device and then use an unauthorized accessory to access your info.
I read that differently -- that the scanning of a working finger leaves an imprint in the gel, and this is what is read from the subsequent scan. This would mean that you couldn't just grab somebody's S10, put a gel screen protector on, and get into the device. You need to have them successfully unlock the device first.
With this in mind, they would not be completely off the mark.
There is a video circulating these comments. It shows someone register their finger without the screen, slap the screen protector over top and unlock with a different, previously rejected finger.
If the fingerprint somehow gets embedded into the screen protector, is it possible that the screen protector is "tainted" with the fingerprint from previous usage?
I'm not dismissing the claims, but I would like to see if the behavior can be replicated with a brand new screen protector.
Yes, I saw that and it definitely made me rethink my theory. Either it's trapping a fingerprint under the protector or this is not the first run with the screen protector and it's "tainted" with a fingerprint in it now.
S10 5G user here, with an IQ shield protector (wet application/ very soft yet strong gel type).
Scanned fingers with the original protector, didn't rescan with the IQ shield which I only put on a few weeks ago.
Can only unlock with my scanned fingers, so will leave my scans as is until a fix eventuates (if it does).
From what I understand it's not that, it's fingerprint recorded as authorized while the flawed protection is on, that won't work.
If you record a new fingerprint without any protection, or one that doesn't confuse the sensor, you can't then put the flawed protection on top and have it bypass security.
I thought that, but if you look at the video linked, you can clearly see they register their fingerprint pre-screen protector. And then by putting the screen protector on, they can now unlock it with any finger.
Jezz. _that_ is bad. How is that even possible? I mean it makes sense if you trained it with your finger with the faulty protector, but adding a faulty protector makes it work?
Surely the sensor must be able to tell the difference (even if it's currently doing it incorrectly)
Yep I saw the video after my post above also, and it didn't make any sense to me either.
Couldn't tell whether the N10 was completely naked during scan due to the quality of the video.
Would like to see verification, and to learn if the S105G sensor would be affected as well. It operates a bit better than the S10+, so it may not be identical - although that might be position only.
But, they have to adjust the screen protector's position before the wrong finger registers. That video makes it look like the protector was contaminated with a fingerprint before the recording began.
That assumes that it'll recognize any of the original fingerprints after you put on the screen protector. It may just see one big blob though the screen protector.
You'd have to take the phone, put a screen protector on, give it back, have them retrain the detection, then steal it again and finally unlock it.
From the korean video someone posted in this discussion, it seems you can use any fingerprint just by putting on a screen protector - no retraining necessary
I don't think that is accurate. I believe the issue is that adding your fingerprint with the screen protector on essentially makes it so anyone can unlock it. If you add your fingerprint without the screen protector, putting the screen protector on and scanning a fingerprint will not get you in.
Is it an issue if the fingerprint is registered without a screen protector on?
I could imagine it's possibly like putting foggy privacy tint on a window. You can see through clearly before, but after the tint is applied, everybody looks pretty much the same.
A bit of background on this (I am involved in the ultrasound industry):
- The chip Samsung uses is by Qualcomm. Their big claim is that their ultrasound fingerprint scanner is the only US government approved non-optical way of electronically scanning a fingerprint (those sensors they have at airports use basically the same technology)
- It's supposed to be more secure than the capacitive technology Apple used to use since it grabs a true image of the fingerprint and not just a low-res representation
- Given this, it's probably a problem with the software on Samsung's part, not Qualcomm
- However, it's interesting that adding the screen protector is what broke it. It suggests that there could be any number of unintentional biometric security holes
- It demonstrates that consumer tech companies (with possible exception of Apple) don't really have the expertise or motivation to properly implement biometric authentication
My initial guess was something like the fingerprint is stored as a bunch of samples of where there are "hills" on the finger, and verifying the fingerprint consisted of checking that those hills are present - another human will have valleys where the first person had hills. The gel screen protector presented 100% hills so all the checks passed. What they needed to fix was to check for the non-presence of some "valleys" as well.
Of course the fact that they're using hashes of the fingerprint means this theory is bogus and the issue is probably a lot more complex/involved.
That seems unlikely. They surely would've done the most basic testing that would've found a bug like that. The issue here seems to be the addition of the screen cover is making all fingerprints appear similar enough to pass as the same one.
The fingerprint sensor is active only when the capacitive steel ring that surrounds the Home button detects the touch of a finger, which triggers the advanced imaging array to scan the finger and send the scan to the Secure Enclave. Communication between the processor and the Touch ID sensor takes place over a serial peripheral interface bus. The processor forwards the data to the Secure Enclave but can’t read it. It’s encrypted and authenticated with a session key that is negotiated using a shared key provisioned for each Touch ID sensor and its corresponding Secure Enclave at the factory. The shared key is strong, random, and different for every Touch ID sensor. The session key exchange uses AES key wrapping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption.
The raster scan is temporarily stored in encrypted memory within the Secure Enclave while being vectorized for analysis, and then it’s discarded. The analysis utilizes sub dermal ridge flow angle mapping, which is a lossy process that discards minutia data that would be required to reconstruct the user’s actual fingerprint. The resulting map of nodes is stored without any identity information in an encrypted format that can only be read by the Secure Enclave. This data never leaves the device. It isn’t sent to Apple, nor is it included in device backups.
Officially, they only store a hash, but this is only a software restriction - I believe it is possible to obtain full images but this may not be possible with the public APIs.
In practice it may be possible to reverse-engineer the stored hashes but this has not been demonstrated (yet).
What kind of hash is used? I guess it has to be some kind of inexact match (I doubt the fingerprint image is ever exactly the same)? Does it operate over the image of the fingerprint or a vector of extracted features?
Yeah, I never understood how you could hash fingerprints or face unlock data. How do you do a fuzzy match on a hash? I guess you can make the original data less detailed/precise, such that slight variations would still come out with the same hash, but that seems to defeat some of the security.
presumably you would hash many variations of the initial thumbprint, and then simply compare the new thumbprint hash against the list of possibilities, passing upon finding the first match
What I know about prints is that you’re looking for some number of correlations between features. So of 90 points from the first scan, you’ll need 16 to match on entry.
So... I don’t think without knowing which 16-90 points you’re going to compare that you can hash all the combinations.
I could be wrong, but I suspect this is something they don’t JUST hash.
Can you elaborate on the operating principle behind the ultrasonic sensor what makes its output a "true image" vs. Touch ID's "low-res representation"?
This is not true. Here you can watch someone set up the fingerprint without the protection and using a different finger to unlock it after the protection:
Biometric authentication on Android phones has always seemed to be hit-or-miss: companies looking to add it to their feature checklist either come up with fundamentally flawed designs (storing a fingerprint as an unencrypted image file, etc.) or you have bugs like these. There really needs to be some sort of realignment that incentivizes companies to get this right rather than slap together something broken and try to sell it as “iPhone may have x feature, but we have y (which is buggy, but you don’t know that)”.
This sentence from the NY Times review of the Galaxy Note 8 has always stuck with me.
>Some of the biometrics, including the ability to unlock your phone by scanning your face or irises, are so poorly executed that they feel like marketing gimmicks as opposed to actual security features.
The face unlock from the S8 onwards had a huge disclaimer page you had to accept saying it was a convenience feature only, do not use if security is important.
I set up the face unlock on my S9 and lasted about half a day before i was back to the fingerprint. Its just so much easier and more convenient in every way.
Some sort of certification would be useful. We can compare cameras with megapixels, but fingerprint reader is like boolean: it's either present or not. There are obvious metrics like false positive rate, false negative rate, but I have no idea where to find those metrics for any phone.
It’s under System Security, in the Touch ID and Face ID sections:
> The probability that a random person in the population could unlock your iPhone is 1 in 50,000 with Touch ID or 1 in 1,000,000 with Face ID. This probability increases with multiple enrolled fingerprints (up to 1 in 10,000 with five fingerprints) or appearances (up to 1 in 500,000 with two appearances).
Note that this is _much_ less useful than it appears for the same reason as misleading stats often offered to courts when evidence partially links a suspect to a crime.
The problem is that it says random people, but people aren't random. We don't periodically just stir all the people in the entire world and redistribute them across the globe.
In courts you'd get a situation where a jury is told there's only 1-in-10-million chance this evidence would match a random person. Only a few hundred people in the whole world could have been the one, and yet this suspect matches. And what they may not get told unless a defence lawyer brings it up is oh, by the way, six of those few hundred people were in the place where it happened and four more lived in the same street as the suspect.
Bob's Face ID may only match 1 in a million people. But if one of those "1 in a million" people is Bob's twin brother Dave who is always pranking him, and another is Bob's cousin Barry who doesn't look that similar to a person, but mathematically it turns out Bob and Barry's faces look identical to a computer vision system due to their bone structure, then Bob won't find "Face ID" much use.
Your argument is correct for FaceID, but it does not transfer to TouchID. The fingerprints of twins are not more similar to one another than that of two random people.
> The fingerprints of twins are not more similar to one another than that of two random people.
That’s not accurate. Family members have more similarity in their prints than among random people, twins even more similarity, and identical yet more.
I can’t immediately find authoritative references for family and fraternal twins, but here’s a reference for identical twins:
“Identical twins have the same chromosomes and similar physical characteristics and, therefore, they have a high class/type similarity in their fingerprints.”
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3338710/
"Class/type similarity" means that twins are likely to, say, both have whorls on their right index fingers, but doesn't mean they'll have the same pattern of ridges. So for the sake of biometrics, that doesn't make them more similar than two random people.
The fact that the math here is wrong is quite concerning. Probabilities are not additive - 1 in 6 dice rolls will produce a 5, it doesn't mean if I roll 6 times I am guaranteed a 5.
Adding the probabilities is a good enough approximation when the probabilities and number of trials are very low, though - as in this case. The true value for at least one failure in 5 trials with an individual 1/50000 probability of failure is 1/10000.4 rather than 1/10000, but it seems clear that the original 1/50000 isn't that precise anyway.
You must not have used many Android phones. The fingerprint scanner has been stellar and instant in every phone I've had, at least until people started switching to this horrible under-display one which is a huge downgrade for no reason.
Stellar/instant is a poor indicator for how secure it is, ik can be stellar/instant and not secure at all. As is the (gel)case here, I don't know if this ia a Samsung only thing or if this sensor is used in different Android devices as well. Or if this is limited to this sensor only in the first place.
You can ask the same question of face/iris scans, people have and it's quite difficult to replicate, but not impossible. There's a plethora of YouTube videos about this.
I don't own a Pixel I use a Sony device(Great devices with terrible software). Pixels 3+ are by far the most secure android devices out there.
I recently bought a Samsung watch. It's a solid responsive device with ok software, depending on what you may do in the wearables app it may or may not crash(The watch itself seems to have good battery life and pretty stable). I had an apple watch for a while that I gave my mom and unfortunately I have to say the Samsung device feels like a device with a lot of potential but not quite there yet. A lot of it has to do with the ecosystem. Tizen seems great, but the app store is so-so. The entire samsung login, region, payment, app store experience feels half-baked compared to the experience on a mac/apple device. I've been recently trying to figure out if I should buy a samsung device to access the ToF camera, but the documentation is virtually none existent(it's scheduled to come "eventually")
I somewhat wish they would license their tizen version to other vendors since it's way better than the WatchOS alternative.
I haven't been using mac/iphones in a few years rather than to test stuff, so maybe it really got a lot worse since then. But from what I remember the general experience felt a bit more smooth.
Unless there's been a foundational shakeup, I'd be wary of Tizen. There have been numerous reports of horribly shoddy development practices and massive bugs.
Never used a Samsung myself so I'm just remembering stories.
I'm not at all surprised. The whole meego, tizen whatever development process was a complete mess. But then again android was too. I still think it's unfortunate.
Not very well. Months ago I came across a couple of references to egregious security problems and outright horrid development practices, of which I've forgotten 95% of the content and only have the left over sense of "nope, don't ever want to rely on that ever".
My Pixel 3a has a fingerprint scanner which works about as often as the literally free promotional phone my carrier thrusted onto me last year. I'm lucky if it works 1/5 times.
TBF I never had any good luck with Apple's TouchID (which most people seem to love) - some of us just have hands that are incompatible with the technology. So while the many for whom it worked flawlessly lamented the loss of it in favor of FaceID, I was cheering.
Spring and summer, TouchID works flawlessly. Once the air gets dry in the fall and my skin starts to get gross, TouchID struggles. But I guess that's to be expected.
Ok, I feel seen. I had trouble with TouchID on the 5S, upgraded to a 6S, and a 7 and continued to have trouble. It never reliably worked for me. I partially blamed it on oily hands, but my fingertips are fairly scarred as well. As soon as FaceID was revealed, I jumped ship to the X series phones and can't imagine going back. It's crazy how much more reliable FaceID is for me than TouchID ever was.
I'm in the same boat. I never could get TouchID to work reliably or fast enough. To the point where I never even bothered to have it on. FaceID on the other hand has worked great for me, and only doesn't work if I have a motorcycle helmet or goggles on, which is understandable.
Well, apparently on this one the fingerprint sensor is also fast with the caveat that it unlocks the phone for everyone when a screen protector is applied.
That's not a caveat. That's a security hole. Anyone could put a piece of plastic between them and the scanner, and if that's all it takes, it was never secure in the first place.
thats a huge caveat. I think the samsung is the fastest one among all the underscreen fingerprint sensor. But compared to not-underscreen sensor? I agree with above comment. Aside from looking sleek, the underscreen fingerprint sensor has been really underwhelming compared to regular fingerprint one
As someone with an iPhone as a personal phone and a Galaxy S8 as a work phone, I can attest to the fact that the fingerprint sensor in the S8 is _absolutely terrible_ compared to Apple's Touch ID.
It routinely misses touches altogether, complains that I'm not covering the sensor even when I am doing (and yet this doesn't seem to bother Touch ID in the slighest) and doesn't seem to have much of a delay between attempts making it very easy to "lock out" the fingerprint sensor and being forced to enter the PIN due to several mismatches in a short space of time.
Also whoever decided to put the fingerprint sensor on the back of the phone should be prevented from designing phones ever again.
> Also whoever decided to put the fingerprint sensor on the back of the phone should be prevented from designing phones ever again.
Why? My phone has a fingerprint reader on the back, and I quite like it- I don't have to move my fingers much to use it, it's also the lock button, which makes it rather easy to "log in" to the phone.
Just tested it- less than one second to log in via finger, and it works almost all the time. (I've had motor oil on my fingers and it's still worked, not that that's a good idea...)
Also people who suggest serious consequences for failure to abide by a personal opinion should, IMO, stop talking.
The sensor on the back is out of reach when the phone is on a mount, for example the handlebar of my bicycle. I considered activating face recognition but I'll probably use the old phone as navigation device: it's got the sensor on the side. I'm using offline maps anyway and only when cycling for leisure. I'll keep my main phone in my pocket (in airplane mode, I don't want to be disturbed.)
Right but in my case the mount completely covers the sensor. Samsung A40 and Topeak mount. The other phone is a Sony Xperia X Compact. Maybe the Samsung is too thin to have the sensor on the side.
The fingerprint sensor on the back of the phone is something I like so much I will avoid upgrading to a device that has it anywhere else (I fear I may be using my Pixel 3 for a very long time). I think it's a genius spot for it. It's right where my finger naturally falls as I'm bringing my phone out of my pocket, so it's unlocked before my eyes ever got the screen.
Trying to use a phone with the sensor on the back just showed me how often I'm unlocking my phone while it's laying on a surface or how I always pinch the phone out of my pocket by the chin because that's all the room I have with pants that fit. Also, I can't access it when it's mounted on my bike which is such a serious showstopper I don't know how it made it out of the brainstorming phase.
with how big phones are these days I find it very annoying to have the lock button so far from the unlock button. i vastly prefer the scanner/unlock/lock button on the back.
Hmm, I definitely disagree based on my experiences. I think the lack of timeout with a limit on attempts is far nicer, it works reliably for me in nearly every case except sometimes in the winter (which affects other fingerprint sensors I've tried as well), and the position on the back is ideal for me in almost every position I use the phone. I can easily pull it out of my pocket and activate it one-handed without feeling like I'm holding my phone precariously.
There are good arguments for the sensor to be on either side of the phone (or ON the side). I have a phone with the sensor on the back, and while it is inconvenient when I am doing a quick check or it is in a mount (rare), it is a more natural place when you are actually picking up the phone.
- Xiaomi Redmi Note 4 - pretty good finger print scanner on the back
- Samsung Galaxy S8 - absolutely terrible fingerprint scanner that was so bad I switched to pin after a while
- Samsung Galaxy S10 - new fingerprint scanner under display, works most of the time but still unreliable, also it is not the quickest.
You would have thought that leading brand (Samsung) would have decent fingerprint scanners on their flagships, but it is just not the case.
The thing with bad fingerprint scanners is that you cant rely on them, so I rather choose reliable slower 3s unlock with pin than unreliable maybe faster 1-10s unlock with fingerprint.
On my S8 I never used the rear fingerprint scanner. It was so unweildy and poorly placed that it was quicker and easier to enter my pin.
They also touted "face recognition" but it was a poorly-made piece of software that used a conventional camera (no depth) and was just a marketing check-off item, and not a real feature.
Yeah, all my phones have been Xiaomis where the scanner is fantastic. The latest one, the 9T, has an in-display scanner, and you're spot on. It's usually okay, but sometimes gives me trouble, and this burstiness is what irritates me to no end.
> until people started switching to this horrible under-display one which is a huge downgrade for no reason.
That's certainly a matter of opinion, and is not a "huge downgrade for no reason". I prefer my fingerprint scanners on the front, and I know others do as well.
What I would like to see implemented is "Touch to Factory Reset". That would allow you to define an unlikely combination of touch sensor presses - say your right pinky finger followed within 1 second by your left pinky finger, that would silently perform a factory reset on the device. That would be handy if you believe your phone is about to be stolen or confiscated by the police.
Reminds me of a funny story:
A few years back on a visit to Beijing, was hustled on a street corner to purchase what appeared to be a brand new iPhone (a 7, if memory serves), for a ridiculous price.
The seller handed it to me to play with, and proudly demoed the fingerprint unlock feature. The interface looked flawless (given that it was Chinese).
Naturally, it was a fake. Doing a hard reboot brought the green Android bucket at boot.
As for the unlock feature, it took the user through all steps of fingerprint setup only to work with any finger (or anything else warm toughing it, for that matter).
It looks like this works with the fingerprint set up before the screen protector is added. The catch here, I believe, is that the screen protector needs to have some sort of gel adhesive and it only unlocks if you've pressed a valid finger against the screen protector prior to using the invalid finger.
Pressing the valid finger against the protector leaves an imprint in the gel, and this is what is read when it reads the invalid finger. I don't think that this is a bug in Samsung's code but rather a flaw in the technology that they chose to use.
Is there any indication of whether this only happens if the screen protector was present prior to training the fingerprint?
> After buying a £2.70 gel screen protector on eBay, Lisa Neilson found her left thumbprint, which was not registered, could unlock the phone.
This suggests that an attack of "put a malicious screen protector on phone to unlock" is possible. I'm curious whether there was any re-training after applying the protector.
Ah, here's a video of a note 10, which has the same fingerprint sensor as an s10, being fooled by a gel _case_ after being trained with a fingerprint normally.
Long pins and passwords make you a lot more susceptible to casual attackers, as they can be gotten from shoulder surfing and casual video, like e.g. surveillance footage.
Fingerprint replicas (or your actual fingers) are obtainable by targeted attackers of some sophistication. But if you're targeted by attackers willing to go that length for you, you have other problems. IMO, fingerprints provide the best practical security.
Ultimately its a device you're carrying around with you, if someone wants access they're probably going to get it, all you're aiming to stop is chance opportunists.
Pin, fingerprint reader (that works) is enough.
Btw, I don't think 'casual attackers' really fits with access to, and willingness to go through cctv.
If someone is going to go to the lengths of cutting off your finger to get into your phone, I would suggest you're screwed anyway because they seem like the kind of people who'd chop off your/your wife/your children's fingers to get you to unlock it if you had a passphrase anyway.
Consider someone robbing you in a dark alley. They just want your phone and to disable any security alarms/tracking that may exist in the phone. They certainly have no motivation to cut off your finger, but now you've given them one
Consider also a roommate or someone you've recently started seeing. They can very easily unlock your phone by using your finger while you're asleep. They could shoulder-surf as well, but you can be vigilant against that. It's almost impossible to be vigilant against someone grabbing your finger while sleeping
> It's almost impossible to be vigilant against someone grabbing your finger while sleeping
I believe most phones have a way to easily disable fingerprint or face unlock until the next time the pass code is entered.
For example, on recent iPhones, just hold both the power button and one of volume buttons down for a couple seconds, which brings up the screen for power off, medical ID, and emergency SOS. Hit cancel on that screen, and biometrics are disabled until you next enter the pass code.
It should be reasonably possible to be vigilant enough to do that before going to sleep.
There's no value to a robber of unlocking an iPhone with a fingerprint. Unless the phone is dissociated with an iCloud account (which requires entering the user's Apple ID and password) it's useless for anything other than for spare parts.
There is if you’ve allowed touchID for bank accounts and have ability to transfer money. Also, it could happen if you’re a heavy sleeper or passed out drunk.
Over here (UK) at least, I think a lot of phone thefts are done by people on mopeds who grab phones out of peoples hands while they're using them, so the phone is already unlocked.
If I remember the order correctly:
One of the first attacks on finger print readers was to blow on them, making them read the remains on the previous fingerprint used. That was fixed by adding a temperature sensor to the reader, so to attack it you had to use a plastic bag with water at around human temperature. The easy fix was to also check for a pulse while reading the fingerprint, this also make it impossible to use a removed body part.
I have not kept up with the progress in the last years, so not sure how good creating a fake fingerprint that you put on top of your own prints work, like they do in movies. Finding and reproducing a print is not that hard.
As others have written, fingerprint are usernames. It is not secret and you can not change it
Those would be the "attackers willing to go that length" the person was referring to. If these are the adversaries you want to defend against, your solution is even simpler - don't store such secrets on your phone. Also maybe hire a bodyguard.
I'd say finger removal is a few steps less likely than knocking someone unconscious, esp. if you can knock them unconscious and then clone their fingerprint.
Mind you, there are some quite dumb criminals, so "likely probability" besides "how likely am I to get robbed?" likely goes out the window.
Fingerprints were never supposed to replace passwords, they're more analogous to usernames.
I like fingerprint scanner as a quick way to unlock my phone, it's at least more secure than the 4 digit passcodes or patterns I used before that, and more convenient than that or face recognition. But I wouldn't want to use fingerprint to replace entering a password for making payments or accessing any secure data.
First of all because they cannot be revoked. Unless you count cutting tools and torches. Just as well as they can be easily used without the user's consent (e.g. sleeping) without them being aware of it. Note: this does not require stealing anything as in the passphrase case.
Additional problems are the high false positive rate.
They just identify the user, not an action of authentication/authorization; i.e. a mental action like remembering a password and actively approving something.
See it this way: Your bank card identifies you, you pin number authorizes the payment. These are distinct differences. If you ignore authorization you get nfc payments which are very convenient but far less secure and easier to manipulate. Note: your pin can be revoked, your fingerprint can't.
U2F doesn't feel like a natural fit for securing a phone because the core "factor" in U2F is "Something you have" and well, you "have" the phone too already. The fingerprints are "Something you are" but as we see _implementation_ may be lacking. So as you realise that leaves requiring a passphrase, "Something you know".
It's awkward, but I think if you care about security that's still really the most practical solid option. Fingerprints were only ever "better than nothing" here and should not have been sold as more than that (Biometrics _can_ be very secure but they need human supervision, e.g. when police take a DNA sample you can't give them somebody else's DNA but nobody is supervising you when you press what may or may not be your actual finger up against the sensor on a stolen phone).
I have a passphrase and a relatively short screen timeout for my phone, it certainly is less convenient than most people's zero authentication strategy, I noticed this when my closest place to buy groceries announced I could use the phone instead of needing a cashier.
For a regular person you just wander around, bagging anything you want and scanning it with the phone, then obviously you pay at the end. But for any time I spent more than 30 seconds or so browsing the phone locked and I needed to re-enter my passphrase to scan an item, cumbersome. There are tweaks I could do to let the scanning app stay active when the screen locks, but ultimately I just won't bother, there are hand scanners for people who don't have a phone or don't want to use it like me. I'll only use the phone if I pop in to get a single item so that unlocking the phone is faster than swiping to get a scanner.
I switched to my first Fingerprint phone a year ago, and I can't imagine going back to passcode unlocking for convenience reasons.
Which is the most secure? It depends on the threat model. With an NFC sensor, I suppose it should be possible to unlock a phone from a physical key, but is it really convenient?
The only downside of a fingerprint is that there is no key rotating. If your fingerprint pattern is compromised, you are screwed. This doesn't have to be a security vuln in the device itself. A determined attacker can take your fingerprints off the screen surface or back fit eh phone.
Yubikeys can do FIDO along with storing a static complex password. I know android phones can lock with a password so it seems possible but it would be extremely clunky to have to plug in your key every time you unlock your phone.
In the scenario "I forgot my phone and now it's gone" the Yubikey offers perfect security, because I'm unlikely to loose both my phone and my keyring with my YubiKey (that assessment might not hold for a woman with a handbag). In any targeted attack it's useless.
> Only as likely as you are to lose your phone at the same time as your keys today
This makes no sense and I struggle to even comprehend how somebody could come to this conclusion.
Before: I take my phone out, I unlock it, I look at something on the phone, then I get distracted, I leave it on a bar, a desk, somebody's refrigerator, wherever.
Now: I take my phone out. I need the FIDO key to unlock it, so I get that out too, I unlock the phone, I look at something on the phone, and then I get distracted and this time leave both the FIDO key and the phone in the same exact place, because of course I do I was using them both when I was distracted.
Can at least one of the people who seems so sure that somehow this wouldn't alter how often they lose the two items they now need together explain their thinking? Do you just... lose things randomly like maybe you have a gaping hole in your pocket and things fall out but you've never bothered to repair it? How are you losing things so that it somehow doesn't matter whether they're used together?
> Now: I take my phone out. I need the FIDO key to unlock it, so I get that out too, I unlock the phone, I look at something on the phone, and then I get distracted and this time leave both the FIDO key and the phone in the same exact place, because of course I do I was using them both when I was distracted.
If I had an NFC one what I imagine doing is just pulling my phone out of one pocket and tapping it against the other, where my keys are.
I suppose if I was going to plug it in I could do that today (albeit with a USB-C adapter) but I don't because, the security point you mention aside, it's a usability nightmare (even if I didn't need an adapter).
Like a full second phone?
Easily noticeable via Wireshark.
Like a folder? Probably noticeable with a utility like WinDirStat.
Like a separate user? Can the other one install apps? If so, you're likely done for if someone gets access to the one account. Also there's this [1] to consider, as well.
I hate shooting privacy ideas down. Unfortunately, that's all I have to contribute this time.
After using it I like the idea with Huawei Private Space. You need to unlock the phone with a different biometric/password to get notifications even. So separate storage / user / app store.
Samsung Knox is a bit more seamless, you can choose how much you share (like copy & paste).
In case you are made to do it both can fool goverment to accept that you phone is clean with the correct setup.
Huawei Private Space
Use another password to unlock the private space.
Samsung Knox (secure folder)
App hidden as a normal app (can be renamed as something completely normal)
Both have separated contacts / app store etc and are separated with support from the hardware.
[[It's not 100% clear but it seems that the problem only occurs if you put the screen protector on before recording your fingerprint. If you record the fingerprint and then add the protector it does not allow you to unlock the phone as it sees a vastly different print.
In other words, a screen protector is not a "master key" for any S10!
Please correct me if I am wrong.]]
Edit: On second reading of the article it looks like a screen protector might actually be a master key for any S10 phone. That's a really big design flaw! (Thanks to computerex for making me read the article more critically.)
From what it seems, it records a "flat" fingerprint, because the screen protector is obviously a flat layer on top of the device. So any haptic touch only activates this flat fingerprint
It should be noted that the S10E does not suffer from this flaw, as its thumbprint sensor is a hardware button on the side of the phone that doubles as the power button. Just picked one up a week ago and very pleased with it.
Assuming the flaw hasn't been discovered because no one logically puts a protective cover over that button. What if you did place the same protective cover over that button and try? Could it be hijacked in that manner?
The screen protector/case works on the S10 because (I'm assuming here) of some flaw with how the ultrasonic fingerprint reader reads the fingerprint, whereas the S10e uses a traditional capacitive scanner. Both are fundamentally different approaches to generating a copy of your fingerprint so I don't think it's likely this technique would work on the 10e.
I’m astounded at how little testing companies do with their products. Most high school students with nothing better to do could have hypothesized this problem and tested for it if only somebody had bothered to ask them.
Given that people report this works with a protector added AFTER registering the print...I'd love to see how Samsung reckons they can fix this with software. Because that sounds very much like a physical issue
It's clear that Samsung and Google are scrabbling to catch up with Apple, and I don't see why tbh. I don't think the general public dislike traditional fingerprint readers nearly as much as they do finding out the unlock mechanisms aren't secure.
Seeing how bad fingerprint scanner is on S10 even with correct fingers and no protectors I can only wish luck to the thieves who'll try to do this trick. I sometimes can't unlock damned thing in five tries and have to enter password.
You can also show a video or a photo of a phone owner and it will be unlocked. It’s a joke of a security and most people don’t Understand that and this it’s as secure as IPhone’s face unlock, which is a totally different beast
Can someone explain to me how something like this is technically possible? And by "explain" I don't mean "ELI5", be all the technical you want. How can you design a fingerprint reader that lets anybody in like this?
Given the behaviour demonstrated (register fingerprint, everything works as expected, add screen protector, any fingerprint unlocks), I'd imagine that they're not dealing with every possible result the fingerprint reader can produce. For example, they might be assuming the result could be either a pass or a fail, but in fact there are three states: valid fingerprint and matched, valid fingerprint and not matched, and not a valid fingerprint.
Perhaps the fingerprint reader returns a result of 0 for "valid print and not matched", result 1 for "valid print and matched", and result -1 for "not valid print". If the phone vendor code simply tests for a non-zero result code and treats this as "matched", then the situation described would occur.
It would be interesting to test with other smooth objects that might activate the reader.
What is suspected here is that registering the finger with the screen protector on is masking the shape of the finger while still registering the touch action. As a result, it's enrolling a blank print. Then anyone else can unlock it afterwards with the screen protector still on.
Consider that screen protectors are designed and tested only to make sure touch actions work correctly, but this ultrasonic fingerprint ridge-shape detection technology is new, so they're probably not mutually compatible.
I don't know what was wrong with the swipe sensor. They're discreet, easy to keep clean, and hard to screw up. Maybe the only downside is they would keep them too close to the camera lens for accidentally lens smudging.
Ah, what I understood from tfa is that you could take any mobile phone with a properly registered fingerprint (ie without having used a screen protector) and then unlock it by placing a screen protector between the fingerprint reader and any fingerprint.
You're stating an assumption as if it's a fact, and this requires everything we've been told about security enclave/Titan M/Trust Zone/etc to be a lie.
If you're going to believe that, there's no reason to believe that HN isn't uploading all user activity to the NSA for sentiment analysis and tracking.
HN is public forum, a phone is not, but yes they could share my IP, browser etc, if they do store it somewhere it will be leaked anyway. Always assume that.
We do actually know that a lot of Android phones leak user data, especially ones owned by Chinese companies.
And yes, tech companies lie all the time. (also governments)
Give it time. Only 6am EST and 3am PST (iirc) so most of the CA hners are still asleep.
I will say since this is limited to a single Samsung model I am curious if there is precedent for this to happen with other in screen fingerprint scanners.
It just says “simply look at your phone to securely unlock it.” They make no claims about how secure it is.
In fact there are already articles showing how the unlock feature works while you’re asleep: https://9to5google.com/2019/10/16/pixel-4-tidbits-face-unloc...
To my knowledge, Apple is the only vendor that actually made in-depth claims about the security of their face unlock solution. They’re the only vendor that assumed anyone cared.
Android OEMs are working off a feature checklist and that’s about it.